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PREFACE 


The requirements documented in this technical note were generated in support of NASA contract 
NAS 1-1 8586, Design and Validation of Digital Flight Control Systems Suitable for Fly-By-Wire 
Applications, Task Assignment 2. These requirements are for an Advanced Subsonic Civil 
Transport (ASCT) flight control system and were generated using structured techniques. The 
requirement definition started with performing a mission analysis of a typical transport aircraft to 
identify the high-level control system requirements and control functions necessary to control the 
mission flight. The functional requirements were then decomposed using structured method 
techniques. Finally, detailed performance requirements obtained from the Federal Aviation 
Requirements (FAR), FAR Special Conditions, and Military Specifications (MIL-SPEC) were 
allocated to the funcitonal requirements. The result is an example set of control system 
requirements that can provide a research focus for studying structured design methodologies and in 
particular design-for-validation philosophies. This set is a collection of requirements from 
different sources (FAR and MIL-SPECs) and as such does not represent the design requirements 
for any actual airplane. 
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1.0 Introduction 


This technical note documents a set of structured flight control system requirements and the 
methodology used to generate these. Functional requirements were generated for an ad- 
vanced flight control system for an Advanced Subsonic Commercial Transport (ASCT) of 
the mid-1990s. These requirements have been generated and organized using a structured 
approach in a manner to support structured design methodologies. High level flight control 
functional requirements for the ASCT were defined based on a mission analysis. These 
requirements were then decomposed in a structured manner using the Extended System 
Modeling Language (ESML) to obtain the flight control detailed functional requirements. 
Detailed performance, safety and availability requirements were then added to the func- 
tional model. Finally, the requirements were entered and stored in a database using the 
Excelerator/RTS software package w'hich supports structured modeling and in particular the 
ESML for structured requirements generation. The result is an example set of control sys- 
tem requirements to provide a research focus for studying structured design methodologies 
and candidate system architectures for future aircraft. 
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2.0 Requirements Generation 

The functional requirements were developed using a structured approach to system design 
(Appendix A) which makes use of the Extended System Modeling Language (ESML) de- 
scribed in Appendix B. The use of ESML requires starting with a high level function to be 
performed rather than immediately addressing a particular system or subsystem. Using this 
approach allows one to take a top down approach and consider the complete function to be 
performed independent of the implementation (system design). This allows for considering 
all functions to be performed and for allocating those functions to systems in a logical 
manner such that the implementation is based on sound engineering judgment and is not 
overly biased by previous designs. 

Once the overall high level function is defined, it is decomposed into several levels of func- 
tional requirements. Detailed performance, availability and safety requirements are added 
to the functional requirements. Subsequently, several candidate architectural models (Ap- 
pendix C) are developed. The low level functional requirements are then allocated to the 
architecture which best meets the detailed performance requirements. 

This effort involved the generation of requirements for a flight control system (FCS). The 
FCS is used together with the airframe, propulsion system, sensor system, crew and operat- 
ing environment to fly a mission. Thus, the highest level functional requirement is to Fly 
Mission. Starting at such a high level allows for setting performance requirements on the 
complete system rather than solely on the subsystem of interest (FCS). Thus, for example 
one can include handling qualities requirements which the airframe, sensor system, flight 
control system and operating environment must meet as a whole. The functional require- 
ments and the associated performance requirements are then decomposed to levels where 
all low level functions can be allocated to entities on the architectural model. If the perform- 
ance requirements are properly decomposed and if each lower level function meets its re- 
quirements, then the high level requirements will be satisfied. And correspondingly, if each 
architectural entity satisfies the performance requirements of the functions assigned to it, 
then the complete architecture will satisfy the high level requirement. 

Decomposition of the Fly Mission function results in many functions which certainly will not 
be allocated to the flight control system. An example is the Navigate function on the Fly 
Mission transform graph, which would be performed by the crew or a flight management 
computer. For this exercise, only those functions which may be performed in whole or in 
part by the FCS were further decomposed and assigned detailed performance requirements. 
Functions which clearly will not be performed by the FCS appear on a transform graph but 
are not defined in detail. The following details the functional decomposition, detailed 
requirements specification and allocation of functions to the flight control system. 

The functional requirements were developed by starting with a functional requirement to 
Fly Mission. This function involves the generation of a target flight path by some kind of 
Navigation function based on the mission and the generation of the actual flight path by the 
Control Mission Flight function based on the desired flight path. The decomposition of a 
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high level function (Fly Mission) into lower level functions (Navigate and Control Mission 
Flight) illustrates the process of functional decomposition and is shown pictorially with a 
transform graph (see Fly Mission transform graph on page 12). (Note that the blocks used 
to represent functional requirements on a transform graph are referred to as the transform 
graph processes.) The Navigation and Control Mission Flight functions and data flows on 
the Fly Mission transform graph are defined and entered into the project data base. A 
mission analysis was performed to define the control system requirements necessary to 
control the mission flight. These are then grouped into control functions which form the 
functional requirements for the Control Mission Flight transform graph (see pages 16 and 
87 ). Detailed performance and availability requirements were then generated for the Con- 
trol Mission Flight function. The detailed performance requirements include handling 
qualities requirements, flight envelope requirements and dynamic maneuver response 
requirements. Many of the detailed requirements were obtained from Federal Aviation 
Regulations (FARs) (Ref. 1), FAR Special Conditions (Ref. 2) and Military Specifications 
M1L-F-8785C (Ref. 3) and MIL-F-9490D (Ref. 4) and these have been crossreferenced to 
the appropriate document. Availability’ requirements are expressed as a probability of loss 
of the function per flight hour. 

Functional requirements (transform graphs) and detailed performance requirements were 
then generated for each of the functions on the Control Mission Flight which pertained to the 
flight control system (i.e. Control Aerodynamic Braking, Control Lift Configuration, Con- 
trol Pitch, Control Roll and Control Yaw). This process of breaking down a function into 
lower level functional requirements and generating detailed performance requirements was 
continued to a level of detail at which it was unambiguous as to whether or not the function 
should be assigned to the FCS. Context diagrams were then generated for the Control Pitch, 
Control Roll and Control Yaw functions to show which functions will be performed by the 
FCS and to identify any necessary interface functions to the non FCS functions. Those 
functions not to be performed by the FCS are allocated to other entities on a preliminary 
version of the architecture model. The remaining functions are to be performed by the FCS. 
Context diagrams (i.e. Flight Cntrl Sys Pitch Context) capture this information by showing 
all the FCS functions grouped into one function (i.e. Flight Control System Pitch Functions;, 
surrounded by the external architectural entities (i.e. the Pilot, Copilot, and Auto-Flight 
System) which have been assigned the non FCS functions under the Control Pitch function. 
The transform graph for the Flight Control System Pitch Functions will then contain all the 
FCS pitch axis functions previously identified, but will also include any additional functions 
required as a result of the assignment of non FCS functions to architectural entities. For the 
pitch axis example, the following additional functional requirements were generated: Pro- 
vide Pilot Pitch Interface, Provide Copilot Pitch Interface, and Resolve Pitch Control Conten- 
tion. These three functional requirements were all generated as a result of assigning the 
function, Generate Flight Path Command Manual, to both the pilot and copilot. The use of 
the context diagram allow r s for quickly identifying additional functional requirements gener- 
ated as a result of the architectural assignment and thus provides a degree of feedback to the 
architecture design process and allows for early evaluation of candidate architectures. 
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An architectural model was generated starting with The System which is composed of the 
Flight Environment and the Aircraft. The Aircraft is then decomposed into major subsys- 
tems including the Flight Control System, Airframe Systems, Propulsion System, Sensor 
System, Auto-Flight System and the Crew. Finally the Flight Control System is broken into 
subsystems including crew controllers, flight control computers, and actuation systems. The 
flight control system functions were then allocated to the architectural model as appropriate. 
The architectural entities then assume the detailed performance and availability require- 
ments of the functions assigned to them. Subsequently design trade studies are conducted to 
determine a design which best satisfies the detailed requirements. The result of the trade 
studies are design requirements for the architectural entities. In this study some preliminary 
design requirements have been included to demonstrate the nature of the design require- 
ments. 
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3.0 Excelera tor/RTS Overview 

Excelerator/RTS (Reference 5) is a set of automated tools for real time system modeling, 
analysis and design. These tools allow for depicting systems with time-critical control 
and processing such as avionics systems. They support the techniques presented by key 
theoreticians and used by many real time systems practitioners. In particular the system 
supports the Extended System Modeling Language (ESML) described in Appendix A and 

Appendix B. 

Automated tools make analysis and design more efficient and reliable. Design can be 
quickly and easily modified to incorporate test results and user feedback. Project work 
can be shared among many engineers, while controlling updates and data integrity. A 
variety of analysis and reporting tools allow for evaluation of completeness and correct- 
ness. Together these tools allow for iterative systems design. 

The Excelerator/RTS tools are grouped into the following capabilities: 

• A graphics facility which allows for visual representation of systems that handle timing 
control and monitoring functions. The transform graph feature of this facility was used to 
document the functional requirements decomposition. This illustrated both functions to 
be performed and the data flows associated with these functions. 

• A data dictionary wherein the information describing the system is stored. Descrip- 
tions of the functional requirements, associated data flows and associated detailed per- 
formance requirements were stored in the data base for subsequent report generation and 

analysis. 

• Analysis reports to help evaluate the consistency and methodological accuracy of the 
system model. An example is graph balancing which checks for data and control flow 
consistency between parent and child transform graphs. 

• Prototyping facilities to design screens and reports customized for the particular pro- 
ject. Screens were designed for each of the entities on transform graphs to allow for 
defining such entities and assigning performance requirements to each. The reports gen- 
erated for the transform graphs were all generated using this feature. 

• A documentation facility that allows for producing system documents. The final re- 
quirements document was generated by linking all the necessary graphics, reports and 
analysis for the complete functional requirements model using this feature. 
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4.0 Advanced Flight Control System Requirements 

This section contains the example set of structured requirements for an advanced flight 
control system for an Advanced Subsonic Civil Transport (ASCT) of the mid-1990s. The 
requirements are not representative of any actual airplane design but rather shall provide a 
research focus for studying structured design methodologies. These requirements were gen- 
erated as described in section 2.0 and are organized as follows. 

The transform graphs representing the functional requirements decomposition are shown in 
Figure 1. The top level, Fly Mission, is decomposed into two functions Navigate and Control 
Mission Flight (see page 12). The Navigate function is outside the Flight Control System 
(FCS) context and thus is not functionally decomposed in this document. The Control 
Mission Flight is within the FCS context and is functionally decomposed as shown on page 
87 (Control Mission Flight transform graph). Those functions within the FCS context are 
further decomposed and are shown on Figure 1. Note that the Control Thrust, Control 
Braking on Ground, Control Heading on Ground and the Update Aircraft State functions 
were not considered to be pan of the primary flight control system and thus were not decom- 
posed. Figure 1 shows how the functional requirements have been organized in this chapter. 
Start at the top level (Control Mission Flight) and move down the tree from left to right going 
down to the lowest level possible on each branch. Figure 2 shows the reports generated for 
each transform graph. These consist of the transform graph figure followed be a set of 
reports describing the elements on the transform graphs. These are shown on page 13 for 
the Fly Mission transform graph. If performance requirements are levied on a function on a 
transform graph, a report detailing the associated requirements files and the actual require- 
ments files are included. These are shown on pages 1 7 thru 86 for the Control Mission Flight 
function on the Fly Mission transform graph (page 12). Referring to Figure 1, the Control 
Aerodynamic Braking requirements (transform graph, reports and requirements) follow the 
Control Mission Flight requirements. The Control Aerodynamic Braking transform graph is 
shown on page 105 and associated reports and requirements are on pages 106 thru 111. 

The architectural model is organized in a hierarchical fashion starting at The System level 
composed of the Flight Environment and Aircraft which is decomposed into several levels 
down to the elements of the Flight Control System. Each level in the decomposition consists 
of an architecture diagram, and architecture requirements report and the associated require- 
ments. 
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Figure 1 

Organization of Control Functions with Detailed Requirements 
(Described Data Transforms) 
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Process Descriptions 
Fly Mission 


Expl name 


Description 

Thls'Kinction'recelves'a'target'f light path (generated by navigation) 

generate a flight path which matches the target flight path. 


This function generates the target 
particular mission requirements and 
environmental conditions. 


flight path based on the 
, anticipated and sensed 


Control Mission Flight 


Navigate 


Data Flow Description 
Fly Mission 


Description 


sss.uj'a-ftA’a.Hssa *■ 

requirements . 


Aircraft pitch, roll and heading attitudes. 

Definition of particular flight mission from which the target flight 
path can be generated. 

The desired 4 dimensional flight path and attitudes generated by 
some navigation function. 


Name 

Actual Flight Path 

Aircraft Attitudes 
Mission Definition 

Target Flight Path 


Process Requirements Links 
Fly Mission 


Expl name 

Control Mission Flight 


I-L Reference 

Mission. Analysis 

Cntrl . Mission . Flight .Req.List 


Navigate 


TYPICAL MISSION PROFILE 




TABLE 1. Analysis of Mission Segments 


MISSION 

SEGMENT 


CONTROL ACTION 


DRIVER 


CONTROL SYSTEM 
REQUIREMENT 


TAXI-OUT Si 
TAXI-IN 



MOVE FROM PASSENGER 
TERMINAL TO RUNWAY. 


ACCELERATE TO TAKEOFF 
SPEED & DEPART RUNWAY. 


CLIMBOUT Sl 
CLIMB 


ascend to cruise 
altitude and speed 


TERRAIN AND OBSTACLE 
AVOIDANCE. 


runway length 

THRUST LIMITS 
CROSSWIND CONDITIONS. 


TIME CONSTRAINT 
FUEL CONSUMPTION 
EASE PILOT WORKLOAD 
RIDE QUALITY 
AIRSPACE CONTROL 
TURBULENCE 


SPEED CONTROL 
NOSEWHEEL STEERING. 


SET HIGH LIFT 
SET TAKEOFF TRIM 
THRUST SETTING 
NOSEWHEEL STEERING 
ENGINE OUT AUGMENTATION 
ON GROUND BRAKING 
STALL ANGLE OF ATTACK 
WARNING 

MANUAL TRAJECTORY 
CONTROL 


THRUST SETTING 
MANUAL TRAJECTORY CONTROL 
AUTO TRAJECTORY CONTROL 
MANUAL Si AUTO TRIM 
ENVELOPE PROTECTION 

AUTO control limiting 

LIFT CONTROL 



DESCENT & 
APPROACH 


DESCEND FROM CRUISE 
TO APPROACH ALTITUDE 
AND SLOW TO 
LANDING SPEED 


EASE PILOT WORKLOAD 
FUEL CONSUMPTION 
MINIMIZE DRAG 
RIDE QUALITY 


EASE PILOT WORKLOAD 
RIDE QUALITY 
CROSSWIND CONDITIONS 
ALL WEATHER APPROACHES 
TIGHT PATH FOLLOWING 


SPEED CONTROL 

MANUAL TRAJECTORY CONTROL 
AUTO TRAJECTORY CONTROL 
MANUAL Si AUTO TRIM 
ENVELOPE PROTECTION 
AUTO CONTROL LIMITING 
LIFT CONTROL 


SPEED CONTROL 

MANUAL TRAJECTORY CONTROL 
AUTO TRAJECTORY CONTROL 
MANUAL & AUTO TRIM 
ENVELOPE PROTECTION 
AUTO CONTROL LIMITING 
LIFT CONTROL 



MISSED 

APPROACH 


FLARE, TOUCHDOWN & 
DECCELERATE TO TAXI 
SPEED 


RAPID THRUST CHANGE 
QUICK, HARD MANEUVERS 


RUNWAY LENGTH 
CROSSWIND CONDITIONS 
RAPID SPEED CHANGE 
TIGHT PATH FOLLOWING 
ALL WEATHER LANDINGS 
EASE PILOT WORKLOAD 


TERRAIN AND OBSTACLE 
AVOIDANCE. 

WIND SHEARS 
RIDE QUALITY 


SPEED CONTROL 
MANUAL TRAJECTORY CONTROL 
AUTO TRAJECTORY CONTROL 
ENVELOPE PROTECTION 
AUTO CONTROL LIMITING 
LIFT CONTROL 
STALL ANGLE OF ATTACK 
WARNING 

ON GROUND BRAKING 


THRUST CONTROL 
MANUAL TRAJECTORY CONTROL 
ENVELOPE PROTECTION 
LIFT CONTROL 

ENGINE OUT AUGMENTATION 
STALL ANGLE OF ATTACK 
WARNING 
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TABLE 2 Assignment of Control Requirements to Functions 


Control System Requirements 



Control Functions 


MANUAL TRAJECTORY 
CONTROL 


Longitudinal 

Lateral 

Directional 


Control Pitch 
Control Roll 
Control Yaw 


AUTOMATIC TRAJECTORY 
CONTROL 


Longitudinal 

Lateral 

Directional 


Control Pitch 
Control Roll 
Control Yaw 


MANUAL & AUTO TRIM 


Pitch Trim 
Roll Trim 
Sideslip Trim 


Control Pitch 
Control Roll 
Control Yaw 


ENVELOPE PROTECTION 


Stall 

Load Factor 
Overs peed 
Pitch Attitude 
Bank Angle 
Sideslip Angle 


Control Pitch 
Control Pitch. 
Control Pitch 
Control Pitch 
Control Roll 
Control Yaw 


SPEED CONTROL 


Propulsive Thrust 
Aerodynamic Braking 
Ground Force Braking 


Control Thrust 

Control Aerodynamic Braking 
Control Braking on Ground 


LIFT CONTROL 


Increase Lift 
Spoil Lift 


Control Lift Configuration 
Control Aerodynamic Braking 


NOSEWHEEL STEERING 


Ground Track 


Control Heading on Ground 


AUTOMATIC CONTROL LIMITING 


Longitudinal 

Lateral 

Directional 


Control Pitch 
Control Roll 
Control Yaw 


THRUST SETTING 


STALL ANGLE OF ATTACK 
WARNING 


ENGINE OUT AUGMENTATION 


Altitude 

Speed 



Lateral 

Directional 


Control Thrust 


Control Pitch 


Control Yaw 


ON GROUND BRAKING 


Speed 


Control Braking on Ground 































Control Mission Flight Performance Requirement List 

(This is the list performance requirements imposed on the Control Mission Flight function. 
The requirements are defined on the following pages.) 

C.M.F.1 General Control Requirements 

C.M.F.2 Handling Qualities 

C.M.F.3 Operational Flight Envelope 

C.M.F.4 Manual and Automatic Trim Functions 

C.M.F.5 Envelope Protection 

C.M.F.6 Autopilot Limiting and Actuation 

C.M.F.7 Maneuver Control Lags 

C.M.F.8 Requirements in Icing Conditions 

C.M.F.9 Control System Stability Requirement 

C.M.F.1 0 Residual Oscillations 

C.M.F.1 1 Longitudinal Control Power Requirements 

C.M.F.12 Longitudinal Trim Authority’ 

C.M.F.1 3 Enhanced Longitudinal Control Maneuver Response 

C.M.F.1 4 Roll Mode Time Constant 

C.M.F.1 5 Pilot - Induced Oscillations 

C.M.F.1 6 Stall Characteristics 

C.M.F.1 7 Lateral Control Power Requirements 

C.M.F.1 8 Roll Response Linearity 

C.M.F.19 Roll Control Cross Coupling 

C.M.F.20 Lateral Trim Authority’ 

C.M.F.2 1 Enhanced Roll Maneuver Control 
C.M.F.22 Dynamic Stability 
C.M.F.23 Turn Coordination 

C.M.F.24 Directional Control Power Requirements 
C.M.F.25 Directional Trim Authority’ 

C.M.F.26 Flutter Prevention Requirements 
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GENERAL CONTROL REQUIREMENTS (C.M.F.l) 

Two modes of manual aircraft control shall be provided: core control and enhanced con- 
trol. 

The core control mode provides the minimum level of augmentation (e.g. yaw 
damper, Mach trim, etc.) required for FAA certification at all failure levels not ex- 
tremely improbable (probability < 1.0E— 9). Core control satisfies normal handling quali- 
ties criteria with all probable failures. With improbable failures (probability of failure 
between 1.0E-5 and 1.0E-9), core control shall satisfy the minimum acceptable 
handling qualities requirements. 

The enhanced control mode provides a reduction in pilot workload and increased control 
precision. It provides handling qualities equivalent to those for core control and includes 
envelope protection features and aircraft state hold modes. 

Transfer between core and enhanced control shall be automatic or crew selectable. Mode 
transition transients shall not result in a normal acceleration greater than 0.5 g, a lateral 
acceleration greater than 0.2 g or result in an unsafe condition during normal airline 
operation. 

Figure C.M.F.1-1 indicates the affect of handling qualities on the ability of the aircraft to 
carry out its mission. Normal handling qualities criteria guarantee that the aircraft can 
complete its scheduled flight. When handling qualities are degraded to the minimum 
acceptable level, continued safe flight and landing is possible but the scheduled mission 
may be affected. Detailed criteria for normal and minimum acceptable handling qualities 
are presented later in this document. 

An autoflight system will also generate maneuver control commands. The minimum level 
of augmentation provided by core control shall be available for the autoflight system. 
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f-t a \T)T TNCi m TAT TTY CRITERIA AN D AIRCRAFT OPERATIONAL STAT E 
NORMAL 

No significant flying qualities degradation 
Therefore: 

No change in operational procedures required. 

No change in flight plan 

Failure effects not apparent to the passengers 

MINIMUM acceptable 

The aircraft shall be capable of continued safe flight and landing without 
requiring exceptional pilot skill or strength. 

As a result one or more of the following will apply: 

Changes in operating procedures required 

Changes in flight plan may be required 

Flight envelope limitations may be imposed 

Significant reduction in the ability of the crew 
to cope with adverse condition 

Significant crew workload 


Fid JRF. C.M.F.1-1 
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HANDLING QUALITIES (C.M.F.2) 

Handling qualities shall be evaluated in piloted simulations. The following pilot ratings (as 
defined below) shall be satisfied in the normal flight envelope (shown in Figure C.M.F.3-1 - 
page 49) with light atmospheric turbulence. 


Control Level 
Core Control (Normal) 

Core Control (Minimum Acceptable) 
Enhanced Control 


Pilot Rating 

Satisfactory 

Adequate 

Satisfactory 


C.M.F.2. 1 Handling Qualities Tasks and Aircraft System States 

(Ref. 3 - MIL-F-8785C 3.8 & Ref. 6 - FAA Handling Qualities Assessment) 

a) A series of task-related maneuvers is defined which allows overall flying qualities to be 
evaluated in piloted simulations. These task related maneuvers are designed to allow for 
qualitative evaluation of the handling qualities for a given system failure state, flight 
envelope (figure C.M.F.3-2) and atmospheric disturbance environment. The basic premise 
is that the acceptable failure probability interval must be based on an inverse relationship 
between the probability of the failure condition and the severity of its effect on the 
aircraft. (FAR AC 25.1309-1) The qualitative degrees of suitability of flying qualities are 

categorized as follows: 


Satisfactory- 

Adequate 


Full performance criteria met with routine pilot effort and attention. 

Adequate for continued safe flight and landing; full or specified reduced 
performance met, but w'ith heightened pilot effort and attention. 


Controllable Inadequate for continued safe flight and landing, but controllable for 
return to safe flight condition, a safe flight envelope and/or 
reconfiguration so that handling qualities are at least adequate. 


This three-level category 1 system can be used by a pilot to grade the overall aircraft perform- 
ance in a given control system failure state, portion of the flight envelope and atmospheric 
disturbance environment. 

b) Figure C.M.F.2-1 classifies control system failure states into two groups, A and B, as a 
function of failure probability interval. 

c) Figure C.M.F.2-2 defines qualitative flying qualities required for each combination of 
atmospheric disturbance environment, flight envelope and control system failure state. 
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These requirements shall be evaluated in piloted simulations of the task related maneu- 
vers described in Paragraph C.M.F.2.4 with the appropriate control system failure states 
and the atmospheric disturbance environment. 

d) Figure C.M.F.2-3 defines the atmospheric disturbance levels as a function of the 
probability of exceedance. The atmospheric disturbance models to be used in the simula- 
tions are defined in paragraph C.M.F.2.3 and are a function of the probability of ex- 
ceedance and altitude of the evaluation maneuver. The models of wind shear and random 
turbulence shall be used to assess: 

1) The effects of certain environmental conditions on the flying qualities of the 
airplane; 

2) The ability of the pilot to recover from upsets caused by environmental 
conditions. 

3) Flight path control precision during landing. 

C.M.F.2.2 Multiple Failures 

For multiple control system failure states that are not extremely improbable including 
stability augmentation system failures, the airplane shall be capable of the safe 
completion of a flight segment and landing. (FAR 25.671, FAR 25.672) This 
requirement shall also apply to operation in the backup control mode. 
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AIRCRAFT SYSTEM FAILURE STATE 


AIRCRAFT CONTROL PROBABILITY OF 

SYSTEM FAILURE STATE FAILURE STATE 

PROBABLE 

A (Probable failure conditions are those 

anticipated to occur one or more times 
during the entire operational life of each 
airplane.) 

IMPROBABLE 

B (Improbable failure conditions are those not 

anticipated to occur during the entire 
operational lift of a single random airplane. 
However, they may occur occasionally during 
the entire operational life of all airplanes of 
one type.) 


EXAMPLES: PROBABLE FAILURES (STATE A) : 

Loss of one hydraulic system 

Partial loss of high lift control capability 


IMPROBABLE FAILURES ( STATE B) : 

Loss of two hydraulic systems 

Loss of two pairs of spoilers or one pair of spoilers and ailerons 
Any jam not shown to be extremely improbable 
Any single failure which is not considered a probable failure 
Loss of control and stability augmentation systems 


FIGURE C.M.F.2-1 
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Atmospheric 

Disturbance 

Environment 

Aircraft System State 

A 

B 

Normal 
Operational 
Flicht Envelope 

Permissible 
Flight Envelope 

Normal 
Operational 
Right Envelope 

Permissible 
Flight Envelope 

Light 

Satisfactory 

Acceptable 

Acceptable 

Controllable 

Moderate 

Acceptable 

Controllable 

Controllable 

Controllable 

Severe 

Controllable 

Controllable 




Figure C.M.F.2-2 

Minimum Qualitative Handling Qualities Requirements 


Atmospheric Disturbance 

Probability of Exceedance 

Light 

10 -1 < P 

Moderate 

-3 -1 

10 <P<10 

Severe 

-5 -3 

10 <P<10 


Figure C.M.F.2-3 

Atmospheric Disturbance Levels Definition 


23 




C.M.F.2.3 Atmospheric Environment 

Safe controllability shall be ensured in atmospheric turbulence. The following mean 
wind, turbulence and wind-shear models will be used for flight control system design but 
will be limited to acceleration levels which do not exceed the structural limits. Mean 
wind and turbulence levels are defined by a probability of exceedance and altitude. 
For the low altitude models (below about 3000 feet), the probability of exceedance 
defines a mean wind profile to be used for cross wind takeoff and landing evaluation. 
This wind level then defines the turbulence levels. For high altitude operation (above 
about 3000 feet), mean winds are not important for handling qualities so ex- 
ceedance probabilities directly define turbulence levels and a mean wind model is not 
used. 

C.M.F.2.3. 1 Mean Wind (Low- Altitudes) 

a) The probability of exceeding a wind level at a given altitude is dependent upon 
surface roughness conditions. For average airport conditions, the level of total wind 
occurring from any direction at 20 feet above the surface is determined from Figure 
C.M.F.2-4 for a specified exceedance probability. 

b) The wind level at any other altitude h is determined from the extrapolation formula: 



where z = .15 ft 
for average airport 
conditions 


The mean wind profiles for average airport surface roughness conditions is shown 
on Figure C.M.F.2-5 for reference. 

C.M.F.2.3. 2 Turbulence Levels 

a) Low r Altitude Turbulence (h < 3,000 feet) 

The root mean square level of the turbulence component acting perpendicular to the 
earth, ow, is derived from the mean wind speed at 20 feet above the surface from: 
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FIGURE C.M.F. 2-4 PROBABILITY OF EXCEEDING WIND SPEED 
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FIGURE C.M.F. 2-5 MEAN WIND PROFILES 
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RMS levels of horizontal components of turbulence are found from using Figure 
C.M.F.2-6 

b) High Altitude Turbulence (h > 3,000 feet) 

For high altitudes, the levels of turbulence components oriented in any direction are 
equals: 

°u = a v = ° w . 


The levels of high altitude turbulence (including storm turbulence) are determined 
from exceedance probabilities using Figure C.M.F.2-7. 

C.M.F.2.3.3 Integral Scale Lengths for Turbulence, Lu, Lv, Lw Integral scales for 
turbulence at all altitudes are determined from Figure C.M.F.2-8 and altitude. 


C.M.F.2.3.4 Spectra Shapes for Turbulence 

The distribution of turbulence power with frequency for all altitudes is given by the power 
spectra: 
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V T = TRUE AIRSPEED (FT/SEC) 

w = FREQUENCY (RAD/SEC) 

o • » TURBULENCE COMPONENTS (FT/SEC) 

t . = TURBULENCE SCALE LENGTHS (FT) 


The spectra filters, when combined with normalized random noise, yield time varying u, v, w 
gust components. For low altitude, the o w component refers to the component perpendicu- 
lar to the earth while the u and v components are aligned parallel and perpendicular (respec- 
tively) to the airplane’s relative velocity vector projected onto the plane of the earth. For 
high altitudes, the components are aligned to the airplane’s relative velocity vector. 
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FIGURE C.M.F. 2-6 TURBULENCE LEVELS - HORIZONTAL COMPONENTS 
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FIGURE C M- F. 2-8 TURBULENCE SCALE LENGTHS 
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C.M.F.2.3.5 Transformation to Body Axes Components 

The transformations required to obtain body axes components of turbulence for low 
altitudes follow: 
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For the high-altitude model a transformation is required to bring the turbulence 
components from relative wind orientation to body axes orientation: 



Body Axes 
Gust Components 
where 

6 = Euler pitch angle 

<{, = Euler roll angle 

Q = tan -1 wa 
ua 
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High-Altitude Turbulence 
Transformation Matrix 
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p . sin' 1 A 
V T 

u A = u " ( U TURB ) 
v A = v - ( v TURB ) 
w A = w “ ( W TURB ) 

u, v, w = inertial components of velocity in body axes 

U TURB ’ V TURB’ W TURB = com P onents of turbu,ence and mean wmds in 
body axes 

V T = [ u a 2 + v a 2 + w A 2 ] 1/2 

C.M.F.2.3.6 Mean Wind and Turbulence Models for Automatic Landing Certification 

Limited application models in accordance with FAA Advisory Circular 20-57A and 
British Civil Air Regulation (BCAR) Paper 575 shall be used for automatic landing 
performance evaluation. 

C.M.F.2.3.7 Wind Shear 

The wind shear model for the severe atmospheric condition to be used for airplane 
controllability evaluation is shown on Figure C.M.F.2-9. For the light and moderate 
atmospheric conditions the magnitudes of the wind shear model of C.M.F.2-9 should be 
scaled appropriately. 
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FIGURE C.M.F. 2-9 WIND SHEAR MODEL 


C.M.F.2.4 Handling Qualities Evaluation Task-Related Maneuvers 

This section presents task-related maneuvers to be evaluated in piloted simulations with 
the appropriate aircraft system states, operational envelope and atmospheric conditions 
to verify compliance with the qualitative handling qualities requirements of Figure 
C.M.F.2-2. General categories and candidate tasks presented in Reference 6 are shown 
verbatim in Figure C.M.F.2-10. (This is representative of current FAA thinking but has 
not yet been adopted.) Specific task-related maneuvers are described in the following 
paragraphs. Within these requirements are some which apply only for conventional con- 
trol and others which apply only for maneuver demand type control, w'hich have been 
marked as Conventional and Maneuver Demand respectively. For these particular re- 
quirements the designer need only meet those applicable to the particular control law 
design. The requirements on control forces are a mix of control forces for wheel control- 
lers, center stick and sidestick controllers as the FAR and MIL-Specs requirements have 
been included verbatim. The designer shall modify these as appropriate for the particular 
control system design. 
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A. TRIM & UNATTENDED OPERATION 

Characteristics of the airplane to stay at or depart from an initial ’’trim” or unaccelerated 
condition. 

Dynamic and flight-path response to pulse (3 axes) 

Dynamic and flight-path response to atmospheric disturbance 
Spiral stability (e.g., release at 40 deg bank) 

B. LARGE AMPLITUDE MANEUVERING 


Generally, these are open-loop maneuvers in which the pilot attempts a significant change 
in airplane path, speed or attitude. Maneuvers may be initiated outside the normal flight 
envelope and transition flight envelopes. Many of these maneuvers are representative of 
engineering airworthiness and control tests. 


1) Pitch/Longitudinal 


2) Roll 

3) Yaw 


4) Operational 


- Wind-up-turn or symmetric pull-up/push-over 

- Slow-down-turn at fixed g or on AOA or G-Iimiter 

- Stall or AOA-limiter approach 

- Push/pull off trim speed 

- Rapid bank-to-bank roll 

- Sudden heading change 

- Constant heading sideslip 

- Pitch/roll upset recovery 

- Emergency descent 

- Climbing/diving turn 

- Takeoff/land wind shear escape maneuver 

- Go around/power application from low speed 

- Arrest of high sink rate, at touchdown/level-off altitude 

- Collision avoidance roll/pull 

- Takeoff and landing flare with abuse or high crosswind 


C. CLOSED-LOOP PRECISION REGULATION OF FLIGHT PATH 


Generally, these are tightly-bounded, pilot closed-loop tasks performed in routine com- 
mercial flight. These controlling tasks are almost exclusively associated with the normal 
flight envelope, or certainly not far outside the normal flight envelope boundary. 

ILS and precision touchdown, various atmospheric disturbance and initial offset 
Formation flying (as simulator for maneuver tracking) 

Compound SPD/ALT/HDG tracking, high gain flight phase, in various 
atmospheric disturbance and cockpit display status 


Figure C.M.F.2-10 General Handling Qualities Task Categories 
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C.M.F.2.4.1 Stall Characteristics and Recovery (FAR 25.201) 


a) Stalls must be shown in straight flight and in 30 degree banked turns with- 

1) Power off; and 

2) The power necessary to maintain level flight at 1.6 Vsi 

b) In either condition required by paragraph (a), it must be possible to meet the applica- 
ble stall characteristics and recovery requirements of FAR 25.203 with- 

1) Flaps and landing gear in any likely combination of positions; 

2) Representative weights within the range for which certification is requested. 

3) The most adverse center of gravity for recovery. 

c) The following procedure must be used to show compliance with FAR 25.203, 

1) With the airplane trimmed for straight flight at the speed prescribed in FAR 
25.103(b)(1), reduce the speed with the elevator control until it is steady at 
slightly above stalling speed. Apply elevator control so that the speed 
reduction does not exceed one knot per second until 

i) The airplane is stalled or 

ii) The control reaches the stop 

2) As soon as the airplane is stalled, recover by normal recovery techniques. 


C.M.F.2.4.2 Engine-Out 


a) Ground Minimum Control Speed (Vmcg) (FAR 25.149(e)): 

VMCG is the calibrated airspeed during the takeoff run, at which, when the critical engine 
is suddenly made inoperative, it is possible to recover control of the airplane with the use 
of primary aerodynamic controls alone to enable the takeoff to be safeK continued using 
normal piloting skill and rudder control forces not exceeding 150 lbs. Assuming that the 
path of the airplane accelerating with all engines operating is along the centerline of the 
runway, its path from the point at which the critical engine is failed to the point at which 
recovery to a direction parallel to the centerline is completed may not deviate more than 
30 feet laterally from the centerline at any point. Vmcg must be established with- 

1) The most critical takeoff configuration; 

2) Maximum available takeoff power or thrust on the operating engines; 

3) The most unfavorable center of gravity; 

4) The airplane trimmed for takeoff; 

5) The most unfavorable weight in the range of takeoff weights. 
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b) Minimum Control Speed (Vmc) (FAR 25.1 49(b)— (d)): 


VMC is the calibrated airspeed, at which, when the critical engine is suddenly made inop- 
erative, it is possible to recover control of the airplane with that engine still inoperative, 
and maintain straight flight either with zero yaw or with an angle of bank of not more 
than 5 degrees. 

Vmc may not exceed 1.2 Vs w'ith- 

1) Maximum available takeoff power or thrust on the engines; 

2) The most unfavorable center of gravity; 

3) The airplane trimmed for takeoff; 

4) The maximum sea level takeoff weight 

5) The airplane in the most critical takeoff configuration existing along the 
flight path after the airplane becomes airborne, except w'ith the landing gear 
retracted; and 

6) The airplane airborne and the ground effect negligible. 

The rudder forces required to maintain control at Vmc may not exceed 150 lbs nor may it 
be necessary to reduce power or thrust of the operative engines. During recovery, the 
airplane may not assume any dangerous attitude or require exceptional piloting skill, 
alertness, or strength to prevent a heading change of more than 20 degrees. 

c) Asymmetric Thrust - Yaw Controls Free (MIL-F-8785C 4.1 & 3. 3. 9. 4): 

Verify the static directional stability is such that at all speeds above 1.4VS, with asymmet- 
ric loss of thrust from the most critical engine while the other engine(s) develops normal 
rated thrust, the airplane with yaw control pedals free (no rudder control) may be 
balanced directionally in steady straight flight with less than 30 pounds of center stick 
roll-control force : 

1) All speeds above 1.4Vs 

2) All altitudes 

3) Aircraft trimmed for wings-Ievel straight flight prior to the failure 
C.M.F.2.4.3 Go-Around: 

The airplane shall have sufficient pitch control to perform a go-around. (FAR 25.145(c)) 
The following maneuver will be used to evaluate compliance with this requirement: 

It must be possible, without exceptional piloting skill, to prevent loss of altitude when 
complete retraction of the high lift devices from any position is begun during steady, 
straight level flight at 1.2 Vsi with- 

1) Simultaneous application of not more than takeoff power taking into account 
the critical engine operating condition; 
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2) The landing gear extended; 

3) The critical combination of landing weights and altitudes. 

If gated high-lift device control positions are provided, retraction must be shown from 
any position from the maximum landing position to the first gated position, between gated 
positions, and from the last gated position to the full retraction position. In addition, the 
first gated control position from the landing position must correspond with the high— lift 
devices configuration used to establish the go-around procedure form the landing 
configuration. 

C.M.F.2.4.4 Approach & Landing 

Verify that acceptable landing characteristics are available via compliance with the follow- 
ing requirements : 

a) Approach (static longitudinal stability (FAR 25.175) - Conventional Control) - The 
stick force curve must have a stable slope at speeds between 1.1 Vsi and 1.8 Vsi, w'ith- 

1) Wing flaps in the approach position; 

2) Landing gear retracted; 

3) Maximum landing weight; and 

4) The airplane trimmed at 1.4 VSI with enough power to maintain level flight 
at this speed. 

b) Landing (static longitudinal stability (FAR 25.175) - Conventional Control)- The stick 
force curve must have a stable slope and the stick force may not exceed 80 pounds (wheel 
controller), at speeds between 1.1 Vso and 1.8 VSo w'ith- 

1) Wing flaps in the landing position; 

2) Landing gear extended; 

3) Maximum landing weight; 

4) Power or thrust off on the engines; and 

5) The airplane trimmed at 1.4 Vso with power off. 

c) Longitudinal Stability (Maneuver Demand Control) In lieu of compliance with the 
requirements of paragraphs 25.171, 25.173, 25.175, and 25.181(a) of the FAR, the air- 
plane must be shown to have suitable dynamic and static longitudinal stability in any 
condition normally encountered in service, including the effects of atmospheric distur- 
bance. (Airbus A-320 FAR Special Conditions) 

d) Approach (directional control (FAR 25.147)) - It must be possible, while holding the 
wings approximately level, to safely make reasonably sudden changes in heading in both 
directions. This must be shown at 1.4 VSI for heading changes up to 15 degrees with- 

1) The critical engine inoperative in the minimum drag position; 

2) The power required for level flight at 1.4VS1, but not more than maximum 
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continuous power; 

3) The most unfavorable center of gravity; 

4) Landing gear retracted; 

5) Flaps in the approach position; and 
5) Maximum landing weight. 


e) Longitudinal Control (FAR 25.145) 

With the landing gear extended, no change in trim control, or exertion of more than 50 
pounds control force (wheel controller) may be required for the following maneuvers: 

1) With power off, flaps retracted, and the airplane trimmed at 1.4VS1, extend the flaps 
as rapidly as possible while maintaining the airspeed at approximately 40 percent above 
the stalling speed existing at each instant throughout the maneuver. 

2) Repeat subparagraph (1) except initially extend the flaps and then retract them as 
rapidly as possible. 

3) Repeat subparagraph (2) except with takeoff power. 

4) With power off, flaps retracted, and the airplane trimmed at 1.4 Vsi, apply takeoff 
power rapidly while maintaining the same airspeed. 

5) Repeat subparagraph (4) except with flaps extended. 

6) With power off, flaps extended, and the airplane trimmed at 1.4 Vsi, obtain and 
maintain airspeeds between 1.1 Vsi and either 1.7 Vsi, or Vfe, whichever is lower. 

f) Approach in crosswind (MIL-F-8785C 3. 3.7.1) 

It must be possible to develop at least 10 degrees of sideslip with yaw control pedal forces 
not exceeding 100 lbs. and roll control not exceeding 75% of total control power available 
to the pilot, with- 

1) Power approach configuration; 

2) Trimmed at VREF; 

3) Most critical configuration of c.g., flaps, and weight, 

4) With a 30 knot crosswind. 


g) Landing in crosswind (MIL-F-8785C 3.3.9) 

The airplane shall be safely controllable following sudden asymmetric loss of thrust in a 
landing with a 30 knot crosswind from the unfavorable direction, with- 

1) Trimmed at Vref 

2) Most critical configuration of c.g., flaps, weight 
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C.M.F.2.4.5 Takeoff 

Verify adequate controllability during takeoff for the following task-related maneuvers: 

a) Lateral control (FAR 25.147) 

It must be possible to make 20 degree banked turns, with and against the inoperative 
engine, from steady state flight at a speed equal to 1.4 VS1 with- 

1) The critical engine inoperative; 

2) The remaining engine(s) at maximum continuous power; 

3) The most unfavorable center of gravity; 

4) Landing gear (i) retracted and (ii) extended; 

5) Raps in the most favorable climb position; and 

6) Maximum takeoff weight. 

b) Climb (FAR 25.175 - Conventional Control) 

The stick force curve must have a stable slope at speeds between 85 and 115 percent of 
the speed at which the airplane- 

1) Is trimmed with- 

i) Wing flaps retracted; 

ii) Landing gear retracted; 

iii) Maximum takeoff weight; and 

iv) Maximum power or thrust for use during climb; and 

2) Is trimmed at the speed for best rate-of-climb except that the speed need 

not be less than 1.4 VSl. 

c) Longitudinal Stability (Maneuver Demand Control) 

In lieu of compliance with the requirements of paragraphs 25.171, 25.173, 25.175, and 
25.181(a) of the FAR, the airplane must be shown to have suitable dynamic and static 
longitudinal stability in any condition normally encountered in service, including the ef- 
fects of atmospheric disturbance. (Airbus A-320 FAR Special Conditions) 

d) Crosswind takeoff (MIL-F-8785C 3.3.7) 

It shall be possible to takeoff with normal pilot skill and technique in a 90-degree 30 knot 
crosswind with no more than 20 lbs (center stick) roll control force and 100 lbs yaw 
control force, with 

1) 30 knot crosswind 

2) All engines operating 

3) Maximum takeoff power 

4) Most critical configuration - c.g., flaps, weight 

5) Normal rotation 
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e) Thrust loss during takeoff roll (MIL-F-8785C 3. 3.9.1) 


It shall be possible for the pilot to maintain control of an airplane on the takeoff surface 
following sudden loss of thrust from the most critical engine. Thereafter, it shall be 
possible to achieve and maintain a straight path on the takeoff surface without a deviation 
of more than 30 feet from the path originally intended. 

1) For continued takeoff, verify with speeds from the refusal speed to the 
maximum take off speed, with 

i) Takeoff thrust on the operative engine(s) 

ii) Using only control not dependent upon friction against the takeoff 
surface or upon release of the pitch, roll, yaw or throttle controls. 

iii) Most critical configuration - c.g., flaps, weight. 

2) For the aborted takeoff, verify with all speeds below 1 the maximum takeoff 
speed, w'ith 

i) Use of nosewheel steering and differential braking allowed, 

ii) Most critical configuration - c.g., flaps, weight. 


C.M.F.2.4.6 Dive/Upset: 

Verify that sufficient control is available to meet the following speed increase and 
recovery’ characteristics: (FAR 25.253) 

1) Operating conditions and characteristics likely’ to cause inadvertent speed increases 
(including upsets in pitch and roll) must be simulated with the airplane trimmed at any 
likely cruise speed up to Vmo/Mmo. These conditions include: 

i) gust upsets; 

ii) inadvertent control movements; 

iii) passenger movement; 

iv) leveling off from climb; and 

iv) descent from Mach to airspeed limit altitudes. 

2) Allowing for pilot reaction time after speed warning occurs, it must be shown that the 
airplane can be recovered to a normal altitude and its speed reduced to Vmo/Mmo, 
without- 

i) Exceptional piloting strength or skill; 

ii) Exceeding Vd/Md, Vdf/Mdf or the structural limitations; 

iii) Buffeting that would impair the pilot’s ability to read the instruments or 
control the airplane for recovery. 
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C.M.F.2.4.7 Cruise 


a) Static longitudinal stability must be shown in the cruise condition as follows (static 
longitudinal stability FAR 25 175(b) - Conventional Control): 

1) With the landing gear retracted at high speed, the stick force curve must have a stable 
slope at all speeds within a range which is the greater of 15 percent of the trim speed p u 
^ resulting free return speed range, or 50 knots plus the resulting free return speed 
range, above and below the trim speed with- 


i) The wing flaps retracted; 

ii) The center of gravity in the most adverse position; 

iii) The most critical weight between the maximum takeoff and maximum 

landing weights; 

iv) Maximum cruising power; 

v) The airplane trimmed for level flight. 


2) With the landing gear retracted at low speed, the stick force curve must have a stable 
slope at all speeds within a range which is the greater of 15 percent of the trim speed plus 
the" resulting free return speed range, or 50 knots plus the resulting free return speed 
range, above and below the trim speed with 

i) The wing flaps retracted; 

ii) The center of gravity in the most adverse position; 

iii) The most critical weight between the maximum takeoff and maximum 

landing weights; 

iv) Power required for level flight at a speed equal to (VMO+1.4Vsi)/2; 

v) The airplane trimmed for level flight. 


3) With the landing gear extended, the stick force curve must have a stable slope at all 
speeds within a range which is the greater of 15 percent of the trim speed plus the result- 
ing free return speed range, or 50 knots plus the resulting free return speed range, above 

and below the trim speed with 

i) The wing flaps retracted; 

ii) The center of gravity in the most adverse position; 

iii) The most critical weight between the maximum takeoff and maximum 
landing weights; 

iv) Maximum cruising power; 

v) The aircraft trimmed for level flight. 
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b) Longitudinal Stability (Maneuver Demand Control) 

In lieu of compliance with the requirements of paragraphs 25.171, 25.173, 25.175, and 
25.181(a) of the FAR, the airplane must be shown to have suitable dynamic and static 
longitudinal stability in any condition normally encountered in service, including the ef- 
fects of atmospheric disturbance. (Airbus A-320 FAR Special Conditions) 
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Operational Flight Envelope(C.M.F.3) 

C.M.F.3.1 General 

At all altitudes, the operational flight envelope is defined in terms of a suitable 
normal acceleration and speed boundary for each configuration of the aircraft. 
Within these envelopes, the aircraft shall comply with the control and handling qualities 
criteria except where specifically exempted. Minimum and maximum design and 
operating speeds are presented in Figure C.M.F.3-1, and defined below. (FAR 

25.1503) 

C.M.F.3.2 Normal Acceleration 

The maximum normal acceleration considered is determined from stall considerations, 
structural limits, or maximum control authority which ever is most restrictive. Maximum 
positive and negative normal accelerations, nz, are presented in Figure C.M.F.3-2. 
(FAR 25.333(b) and FAR 25.1531) 

C.M.F.3.3 Minimum Speeds 

The minimum speeds associated with the operational flight envelopes shall be 
determined for each configuration on the basis of minimum demonstrated speed 
considerations as explained in the following paragraphs. (Note that the FAA is currently 
specifying new regulations to define the stall speed.) 

a) Stalling Speed - Vs 

Stalling speed is the lowest airspeed that will be demonstrated inflight with idle pow'er 
using a deceleration of 1 knot per second. This is the FAA stall speed. (Vso - Stall 
speed in the landing configuration, VSi - stalling speed appropriate to the configura- 
tion). (FAR 25.201(c), FAR 25.49) 

b) Minimum Warning Speed -VMIN warn 

Minimum warning speed is the airspeed at which positive warning is given to the 
pilot, either through natural aerodynamic means or through an artificial warning or 
control subsystem. (FAR 25.207) 

c) Minimum Operating Speed -Vmin op 

Minimum operating speed is the minimum airspeed at which the aircraft is intention- 
ally operated. This includes consideration of all operating concerns such as perform- 
ance, handling qualities, systems operations, etc. 

d) Minimum Control Speed 
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1) Minimum Control Speed, Ground - Vmcg 

This is defined as the minimum speed during takeoff at which, if a critical engine 
becomes inoperative, control can be maintained through primary aerodynamic 
controls. The lateral deviation following an engine failure at Vmcg shall not exceed 
30 feet from the runway centerline. The effect of nosewheel steering shall not be 
included. (FAR 25.149 and FAR 25.1513) 

2) Minimum Control Speed, Air - VMCA 

This is defined as the minimum airplane speed in the takeoff configuration at which, if 
a critical engine becomes inoperative, control is regained, and straight steady flight 
maintained with either zero yaw or no more than 5 degrees of bank, with the operating 
engine(s) at maximum takeoff thrust. (FAR 25.149(b)) 

3) Minimum Control Speed During Landing Approach - Vmcl 

This is defined as the minimum airplane speed in the approach configuration at which, 
if a critical engine becomes inoperative, control is regained, and straight steady flight 
maintained with either zero yaw or no more than 5 degrees of bank, with the operating 
engine(s) at maximum takeoff thrust. (FAR 25.149(f)) 

e) Takeoff Speeds 

1) Engine Inoperative Speed - Vef 

This speed shall be at least equal to the minimum speed during takeoff at which 
primary aerodynamic controls alone are adequate to safely continue the takeoff w'hen 
the critical engine suddenly fails. Vef > Vmcg (FAR 25.109(a)) 

2) Minimum Climb Speed - V2MIN 

This speed shall provide at least the minimum required gradient of climb (FAR 
25.121(b)) between 35 and 400 feet with the critical engine inoperative and shall be at 
least I.IOVmca or 1.20 Vsi. (FAR 25.107(b)) 

3) Rotation Speed - Vr 

This speed shall be at least 1.05Vmca and allow attainment of V2 MIN. (FAR 25.107(e)) 

f) Landing Approach Speed - Vref 

1) A calibrated airspeed that is not less than 1.3 Vso. This speed shall be maintained 
down to the 50 foot height for landing (FAR 25.125(a)(2)) 

2) This speed shall be greater than or equal to Vmcl + 5 Kt. (BCAR D2-8-3.5 (Ref. 8)) 
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C.M.F.3.4 Maximum Speeds 

The maximum speeds associated with the operational flight envelopes shall be 
determined for each configuration, on the basis of the following: 

a) Rap Extended Speed -Vfe 

The flap extended speed, Vfe, for each flap position shall be sufficiently greater than 
the operating speed recommended for the corresponding stage of flight (including 
balked landings) to allow for probable variations in control of airspeed and for 
transition from one flap position to another. Vfe must be equal to or less than the 
design flap speed, Vf. (FAR 25.1511, FAR 25.335(e) and FAR 25.345) 

b) Landing Gear Operating Speed - Vlo 

The landing gear operating speed shall not exceed the speed at which it is safe to 
extend or retract the landing gear, either for structural load or flight characteristics 
reasons. (FAR 25.1515 and FAR 25.729) 

c) Landing Gear Extended Speed - Vle 

The landing gear extended speed shall not exceed the speed at which it is safe to fly 
with the landing gear secured in the fully extended position. (FAR 25.1515, FAR 
25.729) 

d) Maximum Operating Speeds/Mach Numbers - Vmo/Mmo 

The maximum operating speeds and Mach numbers (Vmo/Mmo) shall be determined 
for the cruise configuration in such a manner as to include all normal operational 
flight conditions, including climb, cruise and descent, consistent w'ith the appropriate 
thrust requirements. (FAR 25.1505, FAR 215.335(b) and FAR 25.253) 

e) Design Dive Speed, - Vd/Md 

The design dive speed, Vd/Md, is based on the following criteria: From an initial 

condition of stabilized flight at Vmo/Mmo the airplane is upset, flown for twenty 
seconds along a flight path of 7.5 degrees below the initial path, and then pulled up at 
a normal load factor of 1.5 (0.5 g acceleration increment). Cruise power will be 
maintained until the pullup is initiated, at which time power reduction and pilot 
controlled drag devices shall be applied. The maximum speed reached in this 
maneuver shall be less than Vd/Md. The speed margin between Mmo and Md shall 
not be less than Mach = 0.05 for FA^, or less than Mach = 0.07 for CAA. (FAR 
25.335(b), FAR 25.253) 
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f) Flight Characteristics Demonstration Speeds - Vfc/Mfc 

Vfc/Mfc is the maximum speed at which normal control and stability requirements 
shall be met. Vfc is the speed mid-way between Vmo and Vd. MFC is .01 Mach higher 
than Mmo when a Mach overspeed device is used. Otherwise it is mid-way between 
MMO and Md. (FAR 25.253(b)) 
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FIGURE C.M.F. 3-2 HANDLING QUALITIES DESIGN BOUNDARIES 
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FLAPS DOWN 


Manual and Automatic Trim Functions (C.M.F.4) 


Longitudinal Trim 

Manual pitch trim and autotrim shall be provided over die normal flight envelope trim 
range. The crew shall have an alternate trim capability independent of the normal and 
automatic trim capability. Alternate crew trim shall have control capability over the entire 
mechanical trim range and shall override normal crew and automatic trim control at a 
times. (MIL-F-9490D 3. 1.3. 5) The probability of loss of manual trim shall be 

< 10E-7. 

Automatic trim control shall be operable during autopilot and enhanced maneuver control 
following lift-off. The automatic trim mode shall reduce steady-state elevator deflections 
to the neutral position by offloading to the stabilizer. The probability of loss of automatic 

trim shall be < 10E-06. 


Longitudinal Trim Indication 

There shall be positive indication of the trim position in the flight deck. A takeoff configura- 
tion warning shall be provided when the throttles are advanced for takeoff and the stabilizer 
is in a position that would not allow a safe takeoff. Annunciation of failure to trim on com- 
mand and uncommanded trim operation shall be provided except when either the pilot or 
co-pilot is using the trim controls. (FAR 25.677(b), FAR 25.703) 


Lateral Trim 

Manual and automatic lateral trim shall be provided. Crew trim control shall be provided 
for use in the core control (normal and minimum acceptable). Automatic trim control shall 
be provided during enhanced and autopilot control. Probability of loss of function shall be < 

10E-6. 


Lateral Trim Indication 

Trim position indication shall be displayed to the flight crew. (FAR 25.677(b) 


Directional Trim 

Manual and automatic directional trim shall be provided. Crew trim control shall be pro- 
vided for use in the core control (normal and minimum acceptable). Automatic trim control 
shall be provided during enhanced and autopilot control. Probability of loss of function 

shall be < 10E-6. 


Directional Trim Indication 

Trim position indication shall be displayed to the flight crew. (FAR 25.677(b) 
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Trim Indication Reliability 

No single failure or combination of failures shall cause erroneous trim position indication 
unless the failure(s) is improbable. (FAR 25.677(b), FAR 25.703, FAR 25.671) 
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Envelope Protection (C.M.F.5) 


Envelope protection functions shall be provided to prevent the aircraft from exceeding 
the normal operating envelope boundaries. Protection shall be provided for sta , load 
factor, pitch attitude, overspeed, sideslip, and roll angle boundaries. The following 
envelope protection functions shall be provided with a probability of loss of function 

< 10E-06. 


Function 

Stall 

Load Factor 
Overspeed 
Pitch Attitude 
Bank Angle 
Sideslip Angle 
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Autopilot Limiting and Actuation (C.M.F.6) 

Core control shall provide autopilot authority limiting and actuation. Autopilot limiting 
and monitoring shall limit the maneuver response of the airplane to autoflight malfunc- 
tions and protect the airplane against autoflight oscillatory failures. The autoflight limit- 
ing function shall protect against single and multiple axes failures. The probability of loss 
of autopilot limiting shall be < 10E-6. 
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Maneuver Control Lags (C.M.F.7) 

a) The airplane response to pilot controller inputs shall have an equivalent time delay 
(t e ) within the following limits: (MIL-F-8785C 3.5.3) 

t e < 0.1 sec. 

b) The equivalent time delay shall be measured from the pitch and roll rate responses 
to step controller inputs as shown in Figures C.M.F.7-1 and C.M.F.7-2 
respectively. 

The time delay contributions of all system elements from the pilot controller to 
the control surface shall be included. The airplane responses shall meet the 
requirements for both small inputs typical of fine tracking tasks and large 
maneuvers. 
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Requirement in Icing Conditions (C.M.F.8) 

C.M.F.8.1 Ice Protection System Operation General 

Ice protection systems whether manual or automatic shall provide acceptable maneuver 
margins and handling qualities. (FAR 25.1419) 

C.M.F.8.2 Handling Qualities/Controllability 

The airplane stall characteristics and longitudinal control power shall meet the requirements 
of the following sections for operation in icing conditions with the ice protection system 
functioning: (FAR 25.1419) 

Paragraph £ Title 


C.M.F.ll 

C.M.F.ll 

C.M.F.12 

C.M.F.16 


Stall Recovery 
Landing Go- Around 
Trim Range Limits 

Stall Characteristics (Lateral Stability) 


C.M.F.8. 3 Maneuver Margin and Stall Warning 

a) A maneuver margin equivalent to 40 deg of bank to natural or artificial stall warning 
must be available for any flap setting and speed normally used for holding, descent, and 
approach. A 30 deg bank margin must be available for the flap setting and speed normally 
used for go-around. (FAA Issue Paper F-3) 

b) Natural or artificial stall warning shall meet the requirements of paragraph P.S.A.W.l .1 
(page 126). 

c) The evaluation will be made with the ice protection system in operation and ice 
accreted at any flap setting and speed normally used for holding, descent, and approach. 
(FAR 25.1419) 

C.M.F.8. 4 Stall Warning with Failed Ice Protection System Elements 

Crew warning shall be provided when the failed ice protection system element could result 
in an unsafe condition if the pilot were not aware of the failure. (FAR 25.672(a)) 
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Control System Stability' Requirement (C.M.F.9) 


a) There shall be no tendency for system or pilot induced oscillations resulting 1 to 
efforts of the pilot to control the airplane. This shall include saturatton effects due to control 
system rate or position limits. The control system shall produce no objectionable airplane 
response or control characteristics including the effect of: 

Feedback gain magnitudes 
System rate limits 
System position limits 
System time delays 
Structural mode coupling 
Power supply variations 

Abnormal flight conditions such as stall, speeds to 1.2 Vd/Md, or 
large maneuver angles. 

b) Stability’ Margin Criteria 

1) The FCS shall satisfy the stability criteria in Table C.M.F.9-1 The criteria . apply to 
either single or multiloop systems. In a multiloop system the phase and gam of the feedback 
pa*s except for the path under investigation, shall be held at nominal values. The enter, a 
shaifbe satisfied at all possible airplane weights and center of gravity locations and for any 
flighumndhion within L design flight envelope. The term gain (or phase) margin as used 
in Table C.M.F.9-1 means the variation in loop gain (or phase) from nomina ® _ F ‘! 9 49 0D 
able without causing the loop and mode in question to become unstable. (MIL-F-9490 

2) With any single failure, regardless of probability, or any combination of failures not 
extremely improbable, flight control shall be free of instabilities which preclude safe flight 
at any speed up to Vd. (FAR 25.629(d)(1), FAR 25.1309) 
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TABLE C.M.F.9-1 GAIN AND PHASE REQUIREMENTS (DB, DEGREES) 


Airspeed 

Mode 

Frequency ‘ HiV. 

Below 

V 

MIN OP 

V MIN OP 
To 
V 

MO 

At V D 

At 1.15 V D 

< 0.06 

GM = 6 DB 
(NO PHASE 
REQUIRE- 
MENT 
BELOW 

V MIN OP) 

GM = + 4.5 
PM = + 30 

GM = + 3.0 
PM = + 20 

GM = 0 
PM = 0 
(Stable at 
Nominal 
Phase and 
Gain) 

0.06 < ^ < FIRST AEBO- 
eiastic 

MODE 

GM = + 6.0 
PM = + 45 

GM = + 4.5 
PM = + 30 

f _ . > FIRST AERO- 
M ELASTIC 

MODE 

GM = + 8.0 
PM = + 60 

GM = + 6.0 
PM = + 45 


f M = Mode Frequency 
GM = Gain Margin 
PM = Phase Margin 
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Residual Oscillations (C.M.F.10) 

a) Any limit cycle that occurs in normal or enhanced control shall not exceed flight crew 
or passenger perception threshold levels. These thresholds are defined as 0.04 g peak- 
to-peak in the vertical direction and 0.02 g peak-to-peak in the lateral direction. 
(MIL-F-9490D 3. 1.3.8) 

b) Any residual oscillation or sustained limit cycle that occurs during degraded opera- 
tion (minimum acceptable control) shall not interfere with the pilot s ability to control 
and safely land the airplane. Accordingly, normal acceleration at the crew station due to 
residual oscillations shall not exceed ± 0.05 g. (MIL-F-8785C 3.2.2. 1.3) Residual oscilla- 
tions in roll and yaw attitude at the pilot’s station shall not exceed 0.6 degrees peak to 
peak. (MIL-F-9490D 3.1. 3.8) 
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Longitudinal Control Power Requirements (C.M.F.ll) 


C.M.F.11.1 Takeoff Control Requirements 
C.M.F.ll. 1.1 Normal Takeoff (All Engines) 

Normal rotation at Vr shall provide liftoff attitude at the liftoff speed with the following 
requirements: (FAR 25.107(e)) 

a) Not more than 75% of the available elevator control shall be required. (MEL^F-8785C 
3. 2. 3. 3. 2) 

b) There shall be a perceptible pitch response to controller input at rotation. 

C.M.F.ll. 1.2 Mistrim Takeoff (All Engines) 

The airplane shall be capable of safe takeoff with the longitudinal trim set at any 
position within the normal takeoff trim range. 

C.M.F.ll. 1.3 Takeoff With Adverse Failures 

For failure conditions not extremely improbable there shall be sufficient control to 
takeoff safely. (FAR 25.671) 

C.M.F.11.2 Maneuver Control Requirements 

C.M.F. 11.2.2 Longitudinal Control In Maneuvering Flight 

a) It must be possible at any speed between the trim speed prescribed in FAR 25.103(b) 
and Vs to pitch the nose downward so that the acceleration to this selected trim speed is 
prompt with- (FAR 25.145(a)) 

1) The airplane trimmed at the trim speed (FAR 25.103(b)) 

2) The landing gear extended 

3) The wing flaps (i) retracted and (ii) extended, and 

4) Power (i) off and (ii) at maximum continuous power. 

b) With the landing gear extended, no change in trim control, or exertion of more than 
50 pounds of wheel controller force may be required for the following maneuvers: (FAR 
25.145(b)) 


1) With power off, flaps retracted, and the airplane trimmed at 1.4 Vsi, ex- 
tend the flaps as rapidly as possible while maintaining the airspeed at approximately 40 
percent above the stalling speed existing at each instant throughout the maneuver. 
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2) Repeat subparagraph (1) except initially extend the flaps and then retract 
them as rapidly as possible. 

3) Repeat subparagraph (2) except with takeoff power. 

4) With power off, flaps retracted, and the airplane trimmed at 1.4 Vsi, apply 
takeoff power rapidly while maintaining the same airspeed. 

5) Repeat subparagraph (4) except with flaps extended. 

6) With power off, flaps extended, and the airplane trimmed at 1.4 Vs l, obtain 
and maintain airspeeds between 1.1 Vsi and either 1.7 Vsi, or Vfe, whichever is lower. 

c) Within the Operational Flight Envelope, it shall be possible to develop, by use of the 
pitch control alone, the maximum and minimum service load factors as defined in 
MIL-F-8785C 3.1. 8.4. This maneuvering capability is required at the lg trim speed and, 
with trim and throttle settings not changed by the crew, over a range about the trim speed 
the lesser of ± 15 percent or ± 50 knots equivalent airspeed (except where limited by the 
boundaries of the Operational Flight Envelope) (MIL-F-8785C 3.2. 3.2) 

C.M.F.l 1.2.3 Maneuvering After High-Speed Upsets 

There shall be no reversal in the effectiveness of the pitch control surfaces at speeds 
up to 1.15 Vd. (MIL-F-9490D 3. 1.3. 6.1) 


C.M.F.l 1.3 Landing Control Requirements 


The pitch control shall be sufficiently effective in the landing flight phase in close prox- 
imity to the ground, that in calm air: 

a) The geometry-limited touchdown attitude can be maintained in level flight or 

b) The lower of Vs(L) or the guaranteed landing speed can be obtained. 

This requirement shall be met with the airplane trimmed for the approach flight phase at 
the recommended approach speed. (MIL-F-8785C 3. 2. 3. 4) 

C.M.F.11.4 Stall 

a) There shall be sufficient nose down pitch capability to ensure prompt 
acceleration to the trim speed from the stall speed, power on and off. (FAR 25.145) 

b) There shall be sufficient elevator control power with idle power, trim at 1.3 Vs, and 
at the forward center-of-gravity limit, to demonstrate F.A.R. stall speeds in all airplane 
configurations. (FAR 25.201) 

C.M.F.l 1.5 Stall Recovery 

a) It shall be possible to recover from a stall by simple use of the pitch, roll and yaw 
controls with cockpit control forces not to exceed those of F.C.S.8. and to regain level 
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flight without excessive loss of altitude or buildup of speed. Throttles shall remain fixed 
until speed has begun to increase and an angle of attack below the stall has been regained 
unless compliance would result in exceeding engine operating limitations. In straight- 
flight stalls with the airplane trimmed at an airspeed not greater than 1.4vs, pitch control 
shall be sufficient to recover from any attainable angle of attack. (MIL-F-8785C 
3.4.2.1.3) 

b) It must be possible to produce and to correct roll and yaw by unreversed use of the 
aileron and rudder controls, up to the time the airplane is stalled. No abnormal nose-up 
pitching may occur. The longitudinal control force must be positive up to and throughout 
the stall. In addition, it must be possible to promptly prevent stalling and to recover from 
a stall by normal use of the controls. (FAR 25.203(a)) 

c) For level wing stalls, the roll occurring between the stall and the completion of the 
recovery may not exceed approximately 20 degrees. (FAR 25.203(b)) 

d) For turning flight stalls, the action of the airplane after the stall may not be so violent 
or extreme as to make it difficult, with normal piloting skills, to effect a prompt recovery 
and to regain control of the airplane. (FAR 25.203(c)) 

e) It must be possible to safely recover from a stall with the critical engine inoperative- 

1) Without applying power to the inoperative engine; 

2) With flaps and landing gear retracted; 

3) With the remaining engines at up to 75 percent of maximum continuous 
power, or up to the power at which the wings can be held level with the use 
of maximum control travel, whichever is less. (FAR 25.205(a)); 

4) The operating engines may "be throttled back during the stall recovery. 

C.M.F.11.6 Landing Go Around 

a) The airplane shall have sufficient pitch control to perform a go-around. (FAR 
25.145(c)) The following maneuver will be used to evaluate compliance with this 
requirement: 

It must be possible, without exceptional piloting skill, to prevent loss of altitude when 
complete retraction of the high lift devices from any position is begun during steady, 
straight level flight at 1.2 Vsi with- 

1) Simultaneous application of not more than takeoff power taking into account 
the critical engine operating condition; 

2) The landing gear extended; 

3) The critical combination of landing weights and altitudes. 
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If gated high-lift device control positions are provided, retraction must be shown from 
any position from the maximum landing position to the first gated position between ga e 
positions, and from the last gated position to the full retraction position. In addition the 
first gated control position from the landing position must correspond with the high lift 
devices configuration used to establish the go-around procedure from the lan ing 
configuration. 


\ 
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Longitudinal Trim Authority (C.M.F.12) 

The following trim system requirements are applicable to airplanes where primary 
longitudinal trim is provided by a movable horizontal stabilizer or by a trimmable elevator 
on a fixed stabilizer. 

C.M.F.12. 1 Trim Range Limits 

a) The normal trim limits shall be set to allow the airplane to maintain longitudinal trim 
during: (FAR 25.655(b)) 

1) A climb with maximum continuous power at a speed not more than 1.4 Vsi, with 
the landing gear retracted, and the flaps (i) retracted and (ii) in the takeoff position; 

2) A glide with power off at a speed not more than 1.4 Vsi, with the landing gear 
extended, the wing flaps (i) retracted and (ii) extended, the most unfavorable center of 
gravity position approved for landing with the maximum landing weight, and with the 
most unfavorable center of gravity position approved for landing regardless of weight; 

3) Level flight at any speed form 1.4VS1 to Vmo/Mmo, with the landing gear and 
flaps retracted, and form 1.4 Vsi to Vle with landing gear extended. 

b) The airplane must maintain longitudinal trim at 1.4 Vsi during climbing flight with: 
(FAR 25.161(d)) 

1) The critical engine inoperative. 

2) The remaining engines at maximum continuous power. 

3) The landing gear and flaps retracted. 

C.M.F.12. 2 Trim Rate 

The trim rate shall be rapid enough to enable the pilot to maintain low control forces 
under changing conditions normally encountered in service, yet not so rapid as to cause 
oversensitivity or trim precision difficulties under any conditions. (MIL-F-8785C 3.6.1 .2) 

C.M.F.12. 3 All Engine Inoperative Trim Capability 

Trim capability with all engines inoperative shall be provided unless sufficient 
longitudinal control power is available. (FAR 25.671(d)) 
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Enhanced Longitudinal Control Maneuver Response (C.M.F.13) 


a) Pitch Rate Response 

Pitch rate response to a pitch control step input shall comply with the requirements of 
figure C.M.F.13-1. (Ref. 7 - AFWAL-TR-81-3109 3.2.2.1) 


Imnsignl Peak Ratio 

The transient peak ratio /Aq, shall meet the following requirement; 
Aq 2 /Aq^ < .30 

where Aq^ * magnitude of first overshoot 

Aq 2 = magnitude of first undershoot. 

Kise Time P arameter 

The rise time parameter, At = t 2 ~ tj shall have a value between the 
following limits: 

Nonterminal Right Phase Terminal Right Phase 

Min Max M» n Max 

_o_ £ At < 500 _2_< At 

V T V T V T V T 

where Vy = ft/sec true airspeed 
1 1 = equivalent time delay 

t 2 = time to reach first crossing of steady state pitch rate. 
FIGURE C.M.F.13-1 PITCH RATE RESPONSE REQUIREMENTS 


b) Frequency and Damping 

1) Short period frequencies shall be within the boundaries shown in Figures 
C.M.F.13-2 and C.M.F.13-3. (MEL-F-8785C 3. 2. 2. 1.1.) 


2) Short period damping ratios shall be within: 0.35 < £sp < 1.0 (MIL-F-8785C 
3.2. 2. 1.2) 

3) Stability augmentation shall suppress any aerodynamic long period oscillation 
by holding a selected airplane state constant when the pilot’s controller is 
neutral. 

c) Longitudinal Stability With Respect to Speed (Conventional Control) 

The stick force versus speed average gradient shall be greater than or equal to 
1 pound per 6 knots. (FAR 25.173(c)) 

d) Longitudinal Stability (Maneuver Demand Control) 

In lieu of compliance with the requirements of paragraphs 25.171, 25.173, 25.175, and 
25.181(a) of the FAR, the airplane must be shown to have suitable dynamic and static 
longitudinal stability in any condition normally encountered in service, including the ef- 
fects of atmospheric disturbance. (Airbus A- 320 FAR Special Conditions) 
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Roll Mode Time Constant (C.M.F.14) 

The roll-mode time constant shall be no greater than the following: (MH^F-8785C 
3. 3.1.2 - Class Il-L & HI aircraft) 

NORMAL MINIMUM A CCEPTABLE 
1.4 Sec 10.0 Sec 
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Pilot - Induced Oscillations (C.M.F.15) 

There shall be no tendency for sustained or uncontrollable lateral-directional oscillation 
resulting from effort of the pilot to control the airplane. (MH^F-8785C 3.3.3) 
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Stall Characteristics (C.M.F.16) 

The lateral control shall be sufficient to control the bank angle to less than a 20 deg 
upset during a stall recovery. (FAR 25.203(b)) 
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Lateral Control Power Requirements(C.M.F.17) 

C.M.F.17.1 Static Balance 

a) The static directional stability shall be such that at all speeds above 1.4 Vmin, with 
asymmetric loss of thrust from the most critical engine while the other engine(s) develop 
normal rated thrust, the airplane with yaw control pedals free may be balanced direction- 
ally in steady straight flight. (M3L-F-8785C 3. 3.9.4) 

b) There must be enough excess lateral control in sideslips (up to sideslip angles that 
might be required in normal operation), to allow a limited amount of maneuvering and to 
correct for gusts. (FAR 25.147(e)) 

c) It must be possible to make 20 deg banked turns, with and against the inoperative 
engine, from steady flight at a speed equal to 1.4 Vsi with - (FAR 25.147(c)) 

1) The critical engine inoperative and its propeller (if applicable) in the minimum drag 
position; 

2) The remaining engines at maximum continuous power; 

3) The most unfavorable center of gravity; 

4) Landing gear (i) retracted and (ii) extended; 

5) Flaps in the most favorable climb position; 

6) Maximum takeoff weight 

d) It shall be possible to take off and land with normal pilot skill and technique in a 30 
knots 90-degree crosswind from either side. (MIL-F-8785C 3.3.7) Minimum accept- 
able: Directional stability shall be adequate to permit safe use of rudder to takeoff and 
land on dry runways in a crosswind of 20 knots or 0.2 Vso, whichever is greater, except 
that it need not exceed 25 knots. (FAR 25.237) 

e) Yaw and roll control power shall be adequate to develop at least 10 degrees of sideslip 
(yaw-control-induced steady, zero-yaw-rate sideslip with airplane trimmed for wings- 
level straight flight) in the power approach configuration. Roll control shall not exceed 
75% of control power available to the pilot. (MIL-F-8785C 3.3.7. 1) 

f) Following sudden asymmetric loss of thrust from any factor, the airplane shall be 
safely controllable in the crosswinds of paragraph d) above, from the unfavorable direc- 
tion. (MIL-F-8785C 3.3.9) 

g) During takeoff it shall be possible to achieve straight flight following sudden 
asymmetric loss of thrust from the most critical engine at speeds from Vmin to Vmax 
and thereafter to maintain straight flight throughout the climbout (without a change 
in selected configuration). Roll control shall not exceed 75 percent of available control 
power, with takeoff thrust maintained on the operative engine(s) and trim at normal 
setting for takeoff with symmetric thrust. (MIL-F-8785C 3. 3.9. 2) 
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C.M.F.17.2 Roll Response 

Lateral control for maneuvering shall be defined by the time required to achieve a 
specific bank angle in a given time in response to a maximum roll command. The 
required bank angle responses are: 

a) Terminal Right Phase - (Raps down, 1.3 Vsi to Vfe.)(MIU-F-8785C 3.3.4.2) 

1) Change bank angle 30 degrees within not more than 2.5 seconds, with probable 
system failures. 

2) Minimum Acceptable: Under the most adverse failure conditions change 

bank angle 30 degrees within not more than 6 seconds. 

b) Nonterminal Flight Phase - (Raps up, 1.3 Vsi to Vmo/Mmo.)(MIL-F-8785C 3.3.4.2) 

1) Change bank angle 30 degrees within not more than 2.3 seconds, with probable 

system failures. 

2) Minimum Acceptable: Under the most adverse failure conditions change 

bank angle 30 degrees within not more than 5 seconds. 

c) High speed (Vmo/Mmo to Vd/Md) 

With all hydraulic or electrical systems operating, lateral control shall 
be sufficient to roll from a steady 30 degrees banked turn through 60 degrees 
so as to reverse the direction of the turn in not more than 11 seconds with no 
pilot rudder controller input, and in no more than 14 seconds with full 
rudder controller used in the conventional sense (where rudder application 
has an adverse effect on rate of roll). (BCAR D2-8, 6.5.4) 
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Roll Response Linearity (C.M.F.18) 


There shall be no objectionable nonlinearities in the variation of rolling response with roll 
control deflection or force. Sensitivity or sluggishness in response to small control deflec- 
tions or force shall be avoided. (MIL-F-8785C 3. 3.4. 4) 
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Roll Control Cross Coupling (C.M.F.19) 

Lateral control deflection shall not cause objectionable 
(MIL-F-8785C 3.4.3) 


pitch and/or yaw transients. 
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Lateral Trim Authority (C.M.F.20) 

a) The lateral trim system shall be capable of reducing roll moments to zero in straight 
flight and the bank angle may not exceed five degrees at 1.4 Vsi during climbing flight 
with: (FAR 25.161(d)) 

1) The critical engine inoperative. 

2) The remaining engines at maximum continuous power. 

3) The landing gear and flaps retracted. 

b) The airplane must maintain lateral trim with the most adverse lateral displacement of 
the center of gravity (maximum wing tank fuel asymmetry) within the relevant operating 
limitations, during normally expected conditions of operation (including operation at any 
speed from 1.4 Vsi to Vmo/Mmo). (FAR 25.161(b)) 

c) Trim inputs shall not prevent the pilot from obtaining full surface displacement achiev- 
able at that condition. 


78 



Enhanced Roll Maneuver Control (C.M.F.21) 


The normal augmentation function shall suppress the aerodynamic spiral mode by 
holding a selected airplane state (e.g. roll attitude) constant when the lateral 

controllers are centered. 


In addition a heading or track angle hold shall be provided as an enhanced manual 
control mode. 
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Dynamic Stability (C.M.F.22) 


a) Normal Operation: Dutch roll frequency and damping shall meet the following 

requirements. (MIL-F-8785C 3. 3. 1.1 - Most restrictive requirement for class D and ID 
type aircraft.) 


FLIGHT 

CONDITION 

Min £ d 

Min £ d “d 

Min Up 

TAKEOFF, 

LANDING 

0.19 

0.35 

0.4 

CLIMB, 

CRUISE, 

DESCENT 

0.19 

0.35 

0.4 


(For passenger comfort a more stable platform is desirable and thus a £ D = 0.4 is an 
objective.) 

b) Minimum Acceptable: Dutch roll damping shall be greater than zero. (FAR 25.181(b)) 
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Turn Coordination (C.M.F.23) 

a) Normal Operation: Automatic turn coordination shall be provided, such that: 

1) With rudder pedals fixed the lateral acceleration at the eg shall not exceed ±0.1 g for 
maximum roll rates of C.M.F.17. This limit shall be met for aircraft in essentially con- 
stant altitude flight while rolling smoothly from one side to the other. (MDL-F-9490D 
3.1.2.4.2) 

2) With rudder pedals fixed, the sideslip angle shall not be greater than 2 degrees and 
lateral acceleration shall not exceed 0.03g, while at steady bank angles up to the maneu- 
ver bank angle limit. (MIL-F-9490D 3. 1.2. 4.1) 

3) The airplane shall be capable of making heading changes without requiring the use 
of rudder pedals to coordinate the turn entry and exit maneuvers. It is required that 

heading rate follow bank angle with an average lag (t^) of less than TBD seconds 

(Figure C.M.F.23-1). 

b) Minimum Acceptable: It shall be possible to coordinate the turn entry with normal pilot 
use of the rudders. 
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NOTE: 


LATERAL CONTROL IS APPLIED AS NECESSARY TO PROVIDE 
THE BANK ANGLE RESPONSE. 

THE AVERAGE YAW RATE RESPONSE TIME LAG IS MEASURED 
WITH RESPECT TO THE IDEAL YAW RATE RESPONSE TO 
BANK ANGLE: • ^ 


i|r = (g/v) tan 


4 > 


BANK 
ANGLE 
• DEG 


TIM 




♦ 


KTE 

DEG/SEC 
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Directional Control Power Requirements (C.M.F.24) 

The airplane should have sufficient directional control such that engine inoperative 
minimum control speeds (Vmca and Vmcg) will not limit performance over the 
normal range of operating weights. 

C.M.F.24. 1 Engine Inoperative Control Requirements 

a) Vmca < V2/1.1 and Vr/ 1.05 at critical weight. (FAR 25.107(b) and FAR 

25.125(a)) 

b) VmCL < 1.3 Vso -5 knots at critical weight. (BCAR D2-8, 3.2.2(c)) 

c) Vmcg < Vef. (FAR 25.107(a)(1)) 

C.M.F.24. 2 Crosswind Control Requirements 

a) The airplane shall have the capability to takeoff and land in a 30 knot crosswind. 
(MIL-F-8785C 3.3.7) 

b) Minimum acceptable: Directional stability shall be adequate to permit safe use of 
rudder to takeoff and land on dry runways in a crosswind of 20 knots or 0.2 Vso, 
whichever is greater, except that it need not exceed 25 knots. (FAR 25.237) 


83 


Directional Trim Authority (C.M.F.25) 


The directional trim authority shall be sufficient to trim with the most critical engine 
failed for the following conditions: 

a) Enroute Climb (FAR 25.161) 

b) Approach flaps with power for level flight at 1.4 Vs at maximum landing weight. 
(FAR 25.161) 

c) V2 with takeoff thrust and at minimum service takeoff gross weight (typically 1.25 
OEW). (FAR 25.161) 

d) The rudder trim rate shall be rapid enough to enable the pilot to maintain low control 
forces under changing conditions normally encountered in service (i.e. engine failure with 
flaps down), yet not so rapid as to cause oversensitivity or trim precision difficulties under 
any conditions. (MEL-F-8785C 3. 6. 1.2) 

Trim inputs shall not prevent the pilot from obtaining full surface displacement achiev- 
able at that condition. 
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Rutter Prevention Requirements (C.M.F.26) 

The airplane shall comply with the flutter requirements in FAR 25.629. A flutter sup- 
pres^on function may be provided by the flight control system to satisfy the flutter re- 
quirements. There shall be no flutter, buzz or divergence of the airplane or its comp 
nents at all speeds up to 1.2 Vd for all ranges of altitudes, maneuvers (includ g 
maneuvers within the Vd/Md envelope where losses in rigidity may occur) and loa ing 
conditions. Clearance to 1.2 Md must also be shown, except the Mach effects need I no 
be included for Mach numbers greater than 1.0 as long as a proper margin . P g 
exists at all speeds up to Md and there is no large and rapid reduction tn Ramping as 
Md is approached. The damping coefficient, l for any critical flutter mode shall be at 
least O.OMor all altitudes and speeds up to Vd for unfailed conditions. Compliance 
with these requirements may be shown by analyses, tests, or some com ina ion 
thereof. Ground vibration testing will be used to collect modal data for the airplane 

and some of the components. Right testing wil1 ^ 

compliance of the airplane at speeds up to Vd/Md. (FAR 25.629(a)&(b)) 


Fail-Safe Requirements 

a) II shall be shown by analysis or tests that the airplane is free from such flutter 
or divergence that would preclude safe-flight at any speed U P “ af “ r “ ch of h 
failures, malfunctions or adverse conditions listed below. (FAR 25.62 ( )) 


1) Failure of any single element of the structure supporting any engine, independ- 
ently mounted propeller shaft, or large externally mounted aerodynamic body. 

2) Any single failure of the engine structure that would reduce the yaw or pitch rigidity 
of the engine fan or propeller rotational axis. 

3) Absence of propeller aerodynamic forces resulting from the feathering of any single 
propeller. In addition any single feathered propeller must be paired with the failures 
specified in (1) and (2) above. 


4) Any single engine fan or propeller rotating at the highest likely overspeed. 

5) Any structural failure resulting in reduced stiffness of a single nacelle strut, 
including complete engine loss. 

6) Failure of each single principal structural element for which fail-safe strength is 
demonstrated. This may be substantiated by showing that losses in rigidity or 
changes in frequency, mode shape, or damping are within the parameter variations 
shown to be satisfactory in the flutter and divergence investigations. (FAR 25.571(c)) 


7) Any single failure or malfunction or combination thereof, in the flight control 
system considered under FAR 25.671,25.672 and 25.1309, and any single failure in 
any flutter damper system. Investigation of forced structural vibration other than 
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flutter, resulting from failures, malfunctions, or adverse conditions in the automatic 
flight control system may be limited to airspeeds up to Vc/Mc. 

8) Any other combination of failures affecting flutter or divergence not shown to be 
extremely improbable. 

b) In complying with the above conditions, the following must be considered for the 
flight control system: 

1) The airplane must be shown to be free from flutter after any of the following 
failures in the flight control system and surfaces: (FAR 25.671 (c)(d), FAR 25.672(c)) 

- Any single failure such as disconnection or failure of mechanical elements, or 
structural failure of hydraulic components such as actuators, control spool 
housing, and valves. 

- Any combination of failures not shown to be extremely improbable such as 
dual hydraulic system failure, or any single failure in combination with any 
probable hydraulic failure. 


2) It must be shown that after any single failure of the stability augmentation system 
or any other automatic or power operated system that flutter does not occur within the 
airplane operating envelope. (FAR 25.672(c)) 

3) The airplane must not flutter if any or all engines fail. Compliance with this 
requirement may be shown by analysis where that method has been shown to be reliable. 
(FAR 25.671 (c)(d)) 

4) The airplane systems and associated components, considered separately and in 
relation to other systems, must be designed so that the occurrence of any failure condi- 
tion which would prevent the continued safe flight and landing of the airplane is ex- 
tremely improbable. Compliance with this requirement must be shown by analysis and 
where necessary, by appropriate tests. The analysis must consider possible modes of 
failure, including malfunctions and damage from external sources. Also the 
probability of multiple failures or undetected failures must be considered. 

(FAR 25.1309(b) (d)) 

5) If a failure, malfunction or adverse condition is simulated during a flight test, the 
maximum speed investigated need not exceed Vfc if it is shown, by correlation of the 
flight test data with other test data or analyses, that flutter will not occur at any speed up 
to Vd. (FAR 25.629(d)) 
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Process Descriptions 
Control Mission Flight 


Description Expl name Page 


This function controls drag and lift dumping to provide an Control Aerodynamic Braking 105 

aerodynamic braking capability. 

This function configures the wing for different lift properties such Control Lift Configuration 112 

that required lift and control is achieved at low speed (takeoff it 
landing) and low drag can be achieved at high speeds . 

This function performs all functions required to control the Control Pitch 120 

longitudinal axis by controlling the pitch angle. 

This function performs all functions required to control the lateral Control Boll 145 

axis by controlling the roll angle. 

This function controls the aircraft directional axis. Control Yaw 189 

This function includes the airframe and the flight environment and Update Aircraft State 
outputs the aircraft flight state as a result of the flight state and 
the configuration of the flight control system. 


Data Flow Description 
Control Mission Flight 


Description Name 


The sensed 4 dimensional flight path it attitudes of the aircraft as Actual Flight Path 
well as any other sensed values necessary to satisfy the control 
requirements . 

Aircraft pitch, roll and heading attitudes. Aircraft Attitudes 

Directional trim actuator position displayed to the crew. Displayed Directional Trim Pos 

Indication to the crew of the speedbrake position and status. Displayed Inflight Brake Pos 

Longitudinal trim position displayed to the crew. Displayed Longitudinal Trim Pos 

Roll trim position displayed to the crew. Displayed Roll Trim Position 

Crew displayed high lift device positions and failure status Displayed Config it Failure Statu 

annunciation. 

Position of the system used to generate drag used for in air and on Drag Actuators Position 
ground aerodynamic braking. 

Thrust measurements of engines to determine capture engine out event. Engines Thrust 

All forces (in particular environmental forces) other than the External Forces on Actuator 

actuation forces acting on the aerodynamic braking and roll actuation 

system. 

All forces (in particular environmental forces) other than the External Forces on Pitch Actuato 

actuation forces acting on the aerodynamic braking system. 

All forces (in particular environmental forces) other that the External Forces on Yaw Actuator 

actuation forces acting on the yaw actuation system. 

Configuration of lift system to achieve necessary lift to support Lift Configuration 

desired flight path angle at all mission phases (speeds and 
altitudes) . The record consists of the leading edge and trailing edge 
flap positions. 

Angular position of the nosewheel used for on ground low speed Noaewheel Position 

heading control. 

Position of the actuator (s) which provide aircraft pitch maneuver and Pitch Actuator Position 
trim control . 

Position of the surface which makes the aircraft roll. Roll Actuator Position 

Audible and visual indication to the crew that the aircraft Stall Angle of Attack Warning 

is approaching the stall angle of attack. 

The desired 4 dimensional flight path and attitudes generated by Target Flight Path 

some navigation function. 

Configuration of the system which controls the magnitude and Thrust Vector Actuator Config 

direction of the thrust vector. 

Data Flow Description 
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Control Mission Flight 


Description 

The position of the wheel brake actuator. 

Position of the system which caused the aircraft to yaw (rudders). 


Name 

Wheel Brake Position 
Yaw Actuator Position 


Process Requirements Links 
Control Mission Flight 


Expl name 

Reference 

Page 

Control Aerodynamic Braking 

C.A.B. 1 

00 

C . A . B . 2 

01 

Control Lift Configuration 

C.L.C.l 

02 

C.L.C.2 

03 

Control Pitch 

C.P.l 

04 


C.P.2 

03 

Control Roll 

C.R. 1 

06 


C.R.2 

07 

Control Yaw 

C.Y.l 

ea 


C.Y.2 

99 

Update Aircraft State 

U.A.S.l 

100 

U.A.S.2 

101 


U. A. S. 3 

102 


U . A . S . 4 

103 


U.A.S.5 

104 
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Control Aerodynamic Braking (C.A.B.l) 

Manual and automatic control of aerodynamic braking shall be available. Manual control 
shall be able to override the automatic control function. The aerodynamic speed brake 
control function shall be available for on-ground and in-flight operation. 

1.0 Ground Speed Brake Control 

Ground speedbrake control shall provide ground deceleration capability consistent with 
operational field landing length requirements. 

2.0 Inflight Speed Brake Control 

a) The inflight speed brake actuators shall be sized to give adequate inflight deflection 
at Vmo/Mmo for emergency descent. 

b) Normal descent speed brake requirements shall not cause objectionable horizontal 
tail buffet or engine flow distortion. (FAR 25.251(b)) 

c) Control forces to trim the pitching moment change shall be less than or equal to those 
required by FAR 25.143(b). 
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Aerodynamic Braking Functional Availability Requirements (C.A.B.2) 

a) Each individual speed brake device shall provide fail-passive control for failure modes 
more probable than 10-7/flt hour. 

b) Loss of all speedbrake control shall be less than 10-7/flt hour. 
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Control Lift Configuration (C.L.C.l) 

The wing high lift design (both leading edge and trailing edge devices) shall be adjustable 
to provide a variable lift capability to ensure the achievement of low speed performance 
requirements coupled with certifiable handling characteristics. Manual and automatic 
system operation shall be provided. High lift device position indication and failure status 
shall be available. 
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Hi Fr5 ffl 


Lift Configuration Control Functional Availability Requirements (C.L.C.2) 
The high lift system shall provide the following functional availability: 
Function Probability of Loss of Function 


L. E. and T. E. Control 

< 

10-7 

L. E. Control 

< 

10-6 

T. E. Control 

< 

10-6 

Autoslat 

< 

10-5 

Flap Load Relief 

< 

10-5 

LE and TE Failure Annunciation 

< 

10-5 

LE Control and LE Failure Annunciation 

< 

10-9 

TE Control and TE Failure Annunciation 

< 

10-9 


Trim Control System Dynamics (C.P.l) 

The stabilizer shall operate at a constant rate in response to a trim command. 

Trim system start-up and run-on equivalent time delays shall be less than 0.10 seconds. 
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Longitudinal Control Functional Availability Requirements (C.P.2) 

The longitudinal control system shall provide the following functional availability 


Function 

Probability of Loss of Function 

Pilot Control 

Enhanced mode 

< 

10-6 

Normal Core 

< 

10-7 

Min Acceptable Core 

< 

10-9 

Stab Trim 

< 

10-7 

Feel and Centering 

< 

10-9 

Envelope Protection 

Load factor 

< 

10-6 

Stall 

< 

10-6 

Overspeed 

< 

10-6 

Pitch Attitude 

< 

10-6 

Autopilot Limiting 

< 

10-6 

Pitch Augmentation 

< 

10-6 


Lateral Control Functional Availability Requirements (C.R.l) 

The lateral control system shall provide the following functional availability 
Function Probability of Loss of Function 


Pilot Control 


Enhanced Mode 

< 

10-6 

Normal Core 

< 

10-7 

Min. Acceptable Core 

< 

10-9 

Lateral Trim 

< 

10-6 

Feel and Centering 

< 

10-9 

Envelope Protection 

Bank Angle 

< 

10-5 

Autopilot Limiting 

< 

10-6 
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Lateral Trim Control Dynamics (C.R.2) 

Trim rate shall be 2.5% (TBV) max lateral control per second. Startup and run-on shall 
be less than 0.10 seconds. 
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Directional Control Functional Availability Requirements (C.Y.l) 

The directional control system shall provide the following functional availability: 
Function Probability of Loss of Function 

Pilot Control 


Enhanced mode 

< 

10-6 

Normal Core 

< 

10-7 

Min Acceptable Core 

< 

10-9 

Directional Trim 

< 

10-6 

Feel and Centering 

< 

10-9 

Engine-Out Control Augmentation 

< 

10-6 

Envelope Protection 

Sideslip Limiting 

< 

10-6 

Autopilot Limiting 

< 

10-6 

Rudder Position Limiting 

< 

10-9 
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Directional Trim Control Dynamics (C.Y.2) 

Trim rate shall be 2.5% max rudder per second (TBV). Start-up and run-on shall be less 
than 0.10 seconds (TBV)- 
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Static and Dynamic Stability Requirements (U.A.S.l) 

The airplane shall be designed to have static and dynamic longitudinal characteristics as 
follows: 

a) For normal operation the short-period damping ratio shall be 0.35 < £sp < 1.0. 
(MIL-F-8785C 3.2. 2. 1.2) The phugoid mode shall be damped under normal flight 
conditions, i.e., divergent characteristics shall not be acceptable for normal operation. 
(MIL-F-8785C 3.2. 1.2) 

b) Positive static longitudinal stability’ shall be exhibited for all speeds and c.g. 
locations within the normal flight envelope, i.e. the airplane shall return to the approxi- 
mate trim speed after a speed upset. (FAR 25.171 Conventional Control) 

c) Longitudinal Stability (Maneuver Demand Control) 

In lieu of compliance with the requirements of paragraphs 25.171, 25.173, 25.175, and 
25.181(a) of the FAR, the airplane must be shown to have suitable dynamic and static 
longitudinal stability’ in any condition normally encountered in service, including the effects 
of atmospheric disturbance. (Airbus A-320 FAR Special Conditions) 

d) Minimum acceptable: 

Static stability is not required; however, the level of instability shall not exceed that 
which permits an unstable root having a time to double amplitude of less than six (6) 
seconds. NOTE: If minimum acceptable dutch roll damping is present, static longitudinal 
stability shall be neutral or positive. (MIL-F-8785C 3. 2. 1.1) 
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Right Path Stability (U.A.S.2) 

a) Conventional Control - An unstable 7 vs V relationship is acceptable provided the 
slope dy/dV is no more than .06 degrees/knots. (MIL-F-8785C 3.2. 1.3) 

b) Maneuver Demand Control - In lieu of compliance with the requirements of para- 
graphs 25.171, 25.173, 25.175, and 25.181(a) of the FAR, the airplane must be shown to 
have suitable dynamic and static longitudinal stability in any condition normally encoun- 
tered in service, including the effects of atmospheric disturbance. (Airbus A-320 FAR 
Special Conditions) 
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Static Lateral Stability (U.A.S.3) 


a) The airplane shall have stable static lateral stability in rudder induced sideslips 
at all speeds from 1.2 Vsi to Vmo/Mmo. (FAR 25.177(b) Conventional Control) 

b) For speeds from Vmo/Mmo to Vfc/Mfc, any tendency to divergence shall be gradual 
and easily recognizable and controllable by the pilot. (FAR 25.177(b) Conventional Con- 
trol) 

c) Lateral - Directional Stability (Maneuver Demand Control) 

(1) In lieu of compliance with paragraph 25.171 of the FAR, the airplane must be shown 
to have suitable static lateral-directional stability in any condition normally encountered 
in service, including the effects of atmospheric disturbance. (Airbus A-320 FAR Special 
Conditions) 

(2) In lieu of compliance with paragraphs 25.177(b) and 25.177(c), the following applies: 
In straight, steady, sideslips (unaccelerated forward slips) the rudder control movements 
and forces must be substantially proportional to the angle of sideslip, and the factor of 
proportionality must lie between limits found necessary for safe operation throughout the 
range of sidelip angles appropriate to the operation of the airplane. At greater angles, up 
to the angle at which full rudder control is used or a rudder pedal force of 180 pounds is 
obtained, the rudder pedal forces may not reverse and increased rudder deflection must 
produce increased angles of sideslip. Unless the airplane has suitable sideslip indication, 
there must be enough bank and lateral control deflection and force accompanying 
sideslipping to clearly indicate any departure from steady unyawed flight. (Airbus A-320 
FAR Special Conditions) 
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Spiral Mode (U.A.S.4) 

a) If unstable, the spiral mode time to double amplitude shall be no less than 20 
seconds at all speeds from 1.2 Vsi to Vfc/Mfc. (BCAR, D2-8.2 - Conventional Control) 

b) The airplane characteristics shall not exhibit a coupled roll-spiral mode in response to 
the pilot roll control commands. (ME^F-8785C 3.3.1.4 - Conventional Control) 

c) Minimum acceptable: the spiral mode time to double amplitude shall be greater than 4 
seconds. (MIL-F-8785C 3. 3. 1.3 - Conventional Control) 
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Static Directional Stability (U.A.S.5) 

Static directional stability shall be adequate to meet the following requirements: 

a) Skid recovery from 1.2 Vsi to Vfc/Mfc. (FAR 25.177(a) - Conventional Control) 

b) In straight, steady, sideslips the aileron and rudder control movements and forces 
must be substantially proportional to the angle of sideslip, and the factor of proportional- 
ity must lie between limits found necessary for safe operation throughout the range of 
sideslip angles appropriate to the operation of the airplane. At greater angles, up to the 
angle at which full rudder control is used or a rudder pedal force of 180 pounds is ob- 
tained, the rudder pedal forces may not reverse and increased rudder deflection must 
produce increased angles of sideslip. Unless the airplane has a yaw indicator, there must 
be enough bank accompanying sideslipping to clearly indicate any departure from steady 
unyawed flight. (FAR 25.177(c) - Conventional Control) 


c) Lateral - Directional Stability (Maneuver Demand Control) 

(1) In lieu of compliance with paragraph 25.171 of the FAR, the airplane must be shown 
to have suitable static lateral-directional stability in any condition normally encountered 
in service, including the effects of atmospheric disturbance. (Airbus A-320 FAR Special 
Conditions) 

(2) In lieu of compliance with paragraphs 25.177(b) and 25.177(c), the following applies: 
In straight, steady, sideslips (unaccelerated forward slips) the rudder control movements 
and forces must be substantially proportional to the angle of sideslip, and the factor of 
proportionality must lie between limits found necessary for safe operation throughout the 
range of sidelip angles appropriate to the operation of the airplane. At greater angles, up 
to the ancle at which full rudder control is used or a rudder pedal force of 180 pounds is 
obtained, the rudder pedal forces may not reverse and increased rudder deflection must 
produce increased angles of sideslip. Unless the airplane has suitable sideslip indication, 
there must be enough bank and lateral control deflection and force accompanying 
sideslipping to clearly indicate any departure from steady unyawed flight. (Airbus A-320 
FAR Special Conditions) 

d) At all speeds above 1.4VS, lateral control authority shall be adequate to control the 
airplane without pilot use of rudder controller following a critical engine failure. 
Roll-control forces shall not exceed 20 pounds (centerstick controller). (MIL-F-8785C 
3. 3.9.4) 

e) Minimum Acceptable: Directional stability shall be adequate to permit safe use of 
rudder to takeoff and land on dry runways in a crosswind of 20 knots or 0.2 Vso, which- 
ever is creater. except that it need not exceed 25 knots. (FAR 25.237) 
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Process Descriptions 
Control Aerodynamic Braking 


Description 


Expl name 


Function which indicates to the flight crew the position of the Display Speed Brake Pos 

•peedbrake system and annunciates unsafe speedbrake positions and 
unsafe failures. 

Function involving generation of the speedbrake command in an Generate Auto Brake Command 

automated fashion. 

Function to generate a drag actuator command based on the manual and Generate Drag Actuator Command 
auto braking commands . 

Function to generate the speedbrake command manually (ie by the Generate Manual Brake Command 

crew) . 

Function to move the position of the system which provides the Move Drag Actuator 

aerodynamic braking and lift dumping capability 
(spoiler/speedbrakes) . 

Function which converts the force exerted by the crew into an Provide Crew Braking Interface 

aerodynamic braking command. 


Data Flow Description 
Control Aerodynamic Braking 


Descript ion 

Sensed 4 dimensional flight path A attitudes of the aircraft as 
well as any other sensed values necessary to satisfy the control 
requirements . 

Automatically (non-manual) generated aerodynamic braking command. 

Force exerted by crew (pilot or copilot) on the aerodynamic braking 
control ler . 

Commanded drag actuator position. 

Indication to the crew of the speedbrake position and status. 

Displacement of the drag actuators (ie the speedbrakes) . 

All forces (in particular environmental forces) other than the 
actuation forces acting on the aerodynamic braking and roll actuation 
system. 

Speedbrake command generated as a result of the crew exerting a 
force on the controller. 

Desired 4 dimensional flight path and attitudes generated by 
some navigation function. 


Expl name 

Actual Flight Path 

Auto Brake Command 
Crew Brake Force 

Desired Drag Actuator Position 
Displayed Inflight Brake Pos 
Drag Actuator Displacement 
External Forces on Actuator 

Manual Brake Command 
Target Flight Path 


Process Requirements Links 
Control Aerodynamic Braking 


Expl name 

I-L Reference 

Page 

Display Speed Brake Pos 

D.S.B.P.l 

107 

Generate Auto Brake Command 

C.A.B.C.l 

108 

Generate Drag Actuator Command 
Generate Manual Brake Command 

C.D.A.C.l 

109 

Move Drag Actuator 

M.D. A. 1 

110 

Provide Crew Braking Interface 

P.C.B.I.l 

111 
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Indication (D.S.B.P.l) 

a) Means shall be provided to indicate to the flight crew the position of the speed brake 
system. 

b) Annunciation of failures or system operation which could result in an unsafe condition 
if the crew were not aware of the condition shall be provided. (FAR 25.672)(a) 

c) Annunciation to the crew (in the form of an aural warning) shall be provided for 
speedbrake deployment for the following condition: Take-off power and airplane on 
ground. (FAR 25.703)(a) 
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Automatic Speed Brake Control (G.A.B.C.l) 

a) Automatic speed brake control shall be available for on-ground operation. 

b) Automatic speed brake extension shall occur for the following conditions: 

1) At landing touchdown if the pilot has armed the system. 

2) At take-off if an RTO is conducted. 

c) The automatic ground speed brake system shall retract the spoilers and reset the speed 
brake control when the throttles are advanced to takeoff power. 
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Aerodynamic Braking Control Requirements (G.D.A.C.l) 

a) The system shall maintain its selected position, except for movement produced by an 
automatic positioning or load limiting device, without further attention by the flight crew. 

b) Control surface deflection for devices used both in-flight and on the ground shall be 
proportional to speed brake lever command. 

c) Ground-only speed brake devices shall be inhibited from operating in-flight with 
speed brakes deployed. Operation shall only be possible when the airplane is in positive 
contact with the ground. (FAR 25.697(b)) 
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Speed Brake Actuation (M.D.A.l) 

It shall be possible to position all speed brakes in the fully extended or fully retracted 
position on the ground. 

All ground speedbrakes shall be capable of maximum deflection at the maximum refused 
takeoff speed. 
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Crew to Aerodynamic Braking Interface (P.C.B.I.l) 

The controller shall be designed to make inadvertent operation improbable and it shall not 
creep. 
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Process Descriptions 
Control Lift Configuration 


Description 

Display to the crew the position of the high lift devices and 
annunciate any high lift device failure conditions. 


Generate the hi*h lift configuration command in an automated 
fashion (ie by a computer system) . 


Generate hi«h lift configuration actuator cowands based on the 
aanual and auto configuration commands and the sensed nigh Hit 
device positions. 


Generation of the hifh lift configuration coma and in a aanual 
fashion (ie by the crew) . 


Actuation of the high lift device* (ie the leading edge A trailing 
edge flaps ) . 

Interface which allows the crew to input conaands to the high 
lift system. 


Data Flow Description 
Control Lift configuration 


Description 

The sensed 4 dimensional 
well as any other sensed 
requirements . 


flight path k attitudes of the aircraft as 
values necessary to satisfy the control 


The automatically generated comaands for the leading edge and 
trailing edge high lift devices. 


This is the force exerted by the crew to generate the aanual high 
lift configuration command. 


Crew displayed high lift device positions and failure status 
annunciation. 

Commands to the various actuators which move the leading edge and 
trailing edge flaps. 

Sensed positions of the leading edge and trailing edge high lift 
positions . 

Position of leading edge and trailing edge high lift devices and 
failure status of the high lift devices. 


Configuration of lift system to 
desired flight path angle at all 
altitudes) . The record consists 
wing positions. 


achieve necessary lift to support 
mission phases (speeds and 
of the leading edge and trailing edge 


Manual high lift configuration command. 

Tha desired 4 dimensional flight path and attitudes generated by 
the navigation function. 


Process Requirements Links 
Control Lift Configuration 


Expl name 

Display HL Config k Fail Status 
Generate Auto Config Command 
Generate Config. Actuator Cmd 
Generate Manual Config Cmd. 

Move Lift Config. Actuator 

Provide Crew Config Interface 


I-L Reference 

Page 

D.HL.C.F.S.l 

114 

G.A.C.C.l 

115 

G.C.A.C.l 

116 

M.L.C. A. 1 
M.L.C. A. 2 

117 

118 

P.C.C.I.l 

119 


Exp 1 name 

Display HL Config k Fail Status 
Generate Auto Config Command 
Generate Config. Actuator Cmd 

Generate Manual Config Cmd. 

Move Lift Config. Actuator 
Provide Crew Config Interface 

Name 

Actual Flight Path 

Auto Config Command 
Crew HL Config Cmd Force 
Displayed Config k Failure Statu 

High Lift Actuator Command 

High Lift Device Positions 

High Lift Config k Failure Statu 

Lift Configuration 

Manual Config Cmd 
Target Flight Path 



Position Indication and Warning (D.HL.C.F.S.l) 

a) There shall be positive indication of the position of the left and right trailing edge and 
leading edge flaps. The indicator shall give clear indication of the degree of asymmetry 
between corresponding left and right flap segments. (FAR 25.699)(a) 

b) Monitoring shall be provided to detect and annunciate the following to the flight crew: 
(FAR 25. 699) (a) 

1) Uncommanded motion of the leading edge or trailing edge high lift devices. 

2) Failure to go to a commanded position. 

3) Asymmetry between corresponding left and right LE/TE devices. 

c) There must be means to indicate to the pilots the takeoff, en route, approach, and 
landing lift device positions. (FAR 25.699)(b) 

d) If any extension of the lift and drag devices beyond the landing position is possible, the 
control must be clearly marked to identify the range of extension. (FAR 25.699)(c) 

e) A takeoff warning system must be installed and must meet the following requirements: 
(FAR 25.703) 

(1) The system must provide to the pilots an aural warning that is automatically 
activated during the initial portion of the takeoff roll if the airplane is in a configuration, 
including the following that would not allow a safe takeoff: The wing flaps or leading edge 
devices are not within the approved range of takeoff positions. 

(2) The warning required by paragraph (1) of this section must continue until- 

(i) The configuration is changed to allow a safe takeoff; 

(ii) Action is taken by the pilot to terminate the takeoff roll; 

(iii) The airplane is rotated for takeoff; or 

(iv) The warning is manually deactivated by the pilot. 

(3) The means used to activate the system must function properly throughout the 
ranges of takeoff weights, altitudes, and temperatures for which certification is requested. 
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Automatic High Lift Control (G.A.C.C.l) 

A flap load alleviation function shall be provided that automatically limits the loads that 
can be applied to the trailing edge flaps. The flap load alleviation function shall satis y 

the following requirements. 

1) Operate at an adequate margin from normal operating speeds. 

2) Preserve the stall warning schedule with flap deflection. 

3) Not inhibit normal operation of the flap position indicator. (FAR 25.699(a)) 

4) The rate of motion of the surfaces in response to the operation of the control and the 
characteristics of the automatic positioning or load limiting device must give satisfactory 
flight and performance characteristics under steady or changing conditions of airspee , 
engine power, and airplane attitude. (FAR 25.697(c)) 
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Leading Edge and Trailing Edge Control (G.C.A.C.l) 


Each lift device control must be designed so that the pilots can place the device in any 
takeoff, en route, approach, or landing position established under FAR 25.101(d). Lift 
and drag devices must maintain the selected positions, except for movement produced by 
an automatic positioning or load limiting device, without further attention by the pilots. 
(FAR 25.697(a)) 

Each lift and drag device control must be designed and located to make inadvertent op- 
eration improbable. Lift and drag devices intended for ground operation only must have 
means to prevent the inadvertent operation of their controls in flight if that operation 
could be hazardous. (FAR 25.697(b)) 
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Trailing Edge Flaps (M.L.C.A.l) 

M.L.C.A.1.1 Rap Positioning Rexibility 

The flap drive system shall be capable of positioning the flaps at any takeoff, en route, 
approach, or landing position. (FAR 25.697) 

M.L.C.A.1.2 Rap Asymmetry 

The motion of trailing edge devices on opposite sides of the plane of symmetry shall be 
synchronized, unless the airplane has safe flight characteristics with the devices retracted 
on one side and extended on the other. (FAR 25.701) 

M.L.C.A.1.3 Flap Actuation Right Conditions 

Trailing edge flap retraction shall be possible during steady state flight at maximum 
continuous engine power at all speeds below Vfe + 9 knots. (FAR 25.697(d)). 
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Leading Edge High Lift Devices (M.L.C.A.2) 

M.L.C.A.2.1 Leading Edge High Lift Device Extension Requirements 

The leading edge device drive system shall be capable of positioning the leading edge 
devices at any takeoff, en route, approach, or landing position. (FAR 25.697) 

M.L.C.A.2. 2 Leading Edge Device Actuation Flight Conditions 

Leading edge flap retraction shall be possible during steady state flight at 
maximum continuous engine power at all speeds below Vfe + 9 knots. (FAR 25.697(d)) 

M.L.C.A.2. 3 Leading Edge Actuation Flight Conditions 

The leading edge devices shall be designed to permit deployment in icing conditions. 
(FAR 25.1419) 

M.L.C.A.2. 4 Flap Asymmetry 

The motion of leading edge devices on opposite sides of the plane of symmetry shall be 
synchronized by a mechanical interconnection or equivalent asymmetry monitor unless 
the airplane has safe flight characteristics with the devices retracted on one side and 
extended on the other. (FAR 25.701) 
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Manual High Lift Control (P.C.C.I.l) 

Means shall be provided to select specific flap positions (FAR 25.697 (a)). Gates shall be 
provided on the controller at the go-around flap setting (ACJ 25.697 (a)) and at the 
position just prior to full retraction of the leading edge devices. 
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Process Descriptions 
Control Pitch 


Description 

This” function'd! splay s' the” 1 ong! t ud i na 1 trim status to the crew. 

s&'sss.'sra: 

couand. 

position C coafflands*based Sftfi^iS’SS S-ESSS? 

trim commands. 

ssjrs&ira &sffi , ts5?Lnsas«S 58ss> - 

the autopilot. 

-a sK‘ssa*s*JS.ss , s*i*!» a sasaa £«- 

protection requirements. 

KitSiriS generat es' a*warning^for ^ the' crew^when* mpproaching^the 

aircraft stall angle of attack. 


Expl name 

Display Longitudinal Trim Posit. 
Generate Longitudinal Trim Cmd 

Generate Flight Path Command 

Generate Pitch Actuator Command 

Limit Auto Pitch Commands 

Move Pitch Actuators 

Provide Long. Envelope Protect 

Provide Stall AOA Warning 


Data Flow Description 
Control Pitch 


Name 


Description 


le!l 8 « S tny 4 other n sensed vTlues ^cessa^io^atisfy^he'control ‘ 
requirements . 

Flight path command generated in an automated fashion (ie by a 
computer system) . 

Longitudinal trim command generated automatically during enhanced 
manual control and autoflight control. 

The desired pitch actuator (elevator) position such that the limited 
flight path angle command is achieved. 

This flow is the longitudinal trim position displayed to the crew. 

*11 forces (in particular environmental forces) other than the 
actuation* forces acting on the pitch actuator. 

The automatically generated flight path command limited to the 
eutoflight pitch authority. 

The flight path command limited such that envelope protection is not 
violated. 

Position of the longitudinal trim actuator. 

Flight path angle command generated manually (ie by the crew). 

The longitudinal trim command generated by the crew for use during 
normal and backup control . 

of th. .ctu.toris) which prccU. 1 »»« fitch “ d 

trim control. 

,hi. n.. i. th. .ujibi. .hi , cS. th * "" t, ‘“ ,h ‘ 

aircraft is approaching the stall angle 

The desired 4 dimensional flight path and attitudes generated by 
some navigation function. 


Actual Flight Path 

Auto Flight Path Command 

Auto Longitudinal Trim Command 

Desired Pitch Actuator Position 

Displayed Longitudinal Trim Pos 
External Forces on Pitch Actuato 

Limited Auto Flight Peth Command 

Limited Flight Peth Command 

Longitudinal Trim Position 
Manual Flight Path Command 
Manual Longitudinal Trim Command 

Pitch Actuator Position 

Stall Angle of Attack Warning 

Target Flight Path 
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Process Requirements Links 
Control Pitch 


Expl name 

I-L Reference 

Page 

Display Longitudinal Trim Posit. 
Generate Flight Path Command 
Generate Longitudinal Trim Cmd 
Generate Pitch Actuator Command 
Limit Auto Pitch Commands 

L. A.F.C. 1 

123 

Move Pitch Actuators 
Provide Long. Envelope Protect 

P.L.E.P.l 

124 


P.L.E.P.2 

125 

Provide Stall AOA Warning 

P.S.A.W.l 

120 
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Pitch Autopilot Control and Limiting (L.A.P.C.l) 

a) The core longitudinal control shall provide autopilot control authority limiting and 
actuation for fail-safe operation and Cat HTb autoland operation. 

b) Maximum autopilot maneuver authority shall not result in the following conditions, 
assuming a pilot delay in initiating recovery from any system malfunction: (FAR 25.1329 
& FAA Advisory Circular 25. 1329-1 A) 

1) Speeds beyond Vfc/Mfc. 

2) Structural loads in excess of limit loads due to hardover or oscillatory failures. 

3) Airplane stall. 

4) Dangerous dynamic conditions or deviations from the flight path. 

5) Load factor response in excess of +1.0 g incremental. 

The pilot delay from malfunction recognition to initiation of corrective action shall be 3 
seconds for normal climb, cruise, and descent, and 1 second for normal maneuvering 
flight (turning flight) and during low approaches. (FAA Advisory Circular 25. 1329-1 A) 
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Enhanced Control Longitudinal Envelope Protection (P.L.E.P.l) 

Envelope protection functions shall be provided to assist the pilot or autopilot in prevent- 
ing the airplane from exceeding normal operating envelope boundaries. The basic FCS 
shall include protection for stall, load factor, pitch attitude, overspeed, sideslip and roll 
angle boundaries. The envelope protection limits are TBD. 
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Automated Envelope Protection (P.L.E.P.2) 

Automated envelope protection shall be provided to relieve pilot workload and shall have 
a probability of loss of function < 10E-06. 
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Stall Angle of Attack Warning (P.S.A.W.l) 


A tactile and/or audible warning of an impending stall shall be provided. Stall Warning 
shall be provided for all selectable flap/slat configurations and for high lift system fail- 
ures. The stall warning function is required for dispatch and shall be available after loss 
of one engine or electrical generator. Stall warning system reference angles of attack and 
system design shall be such as to minimize nuisance warnings and provide normal ma- 
neuver capability. 


P.S.A.W.1.1 Normal Operation 

’‘Normal” stall warning, for norma! LE/TE configurations, shall: 

a) Provide a stall speed warning margin of at least 7 percent to the certified FAR stall 
speed. (FAR 25.207) 

b) Occur prior to “normal 1-g stall speed”. The "normal 1-g stall speed" is defined as 
the minimum 1-g corrected flight speed at which nW/qS becomes a maximum value 
during an idle thrust, 1 knot/sec entry rate, stall demonstration maneuver. 

c) Not occur within the following maneuver envelope: 

1) 4> < 40 deg with flaps up at enroute climb speed, 1 engine out 

2) 4> < 30 deg with takeoff flaps at V2 speed, 1 engine out 

3) 4> < 40 deg with approach and landing flaps at approach speed (1.3 Vs) 


where 4> = bank angle in a level flight balanced turn with no pilot rudder input and 
power for level flight in the turn. (FAA Issue Paper F-3) 

P.S.A.W.l. 2 Operation with High Lift System Failures 

Stall warning and crew annunciation for failed L.E./T.E. configurations, for which 
failure of high lift surface element/elements is not shown to be extremely improbable, 
shall be provided. 
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Process Descriptions 
Generate Flight Path Command 


Description 

FuncUonto’generate a flight path angle command automatically (ie 
by a computer) as a result of the difference between the actual and 
target flight paths. 

This function involves the generation of a flight path command 
manually (ie be the crew) as a result of comparing the target and 
actual flight paths. 


Expl name 

Generate Flight Path Cad Auto 


Generate Flight Path Cmd Manual 


Control Process Descriptions 
Generate Flight Path Command 


Description 

jhls'function'ectlvetes'one of the fli * ht P ,th command generation 
processes depending on the mode engaged. 

This function decides whether to generate flight path commands 
manually or automatically. 


Expl name 

Engage Man/Auto Operation (FP) 
Make Manual /Auto Flight Decision 


Data Flow Description 
Generate Flight Path Command 


Description 


The sensed 4 dimensional flight 
well as any other sensed values 
requirements . 


path * attitudes of the aircraft 
necessary to satisfy the control 


as 


Flight path command generated in an automated fashion (ie by a 
computer system) . 


Flight path angle command generated manually (ie by the crew). 

The desired 4 dimensional flight path and attitudes generated by 
some navigation function. 


Name 

Actual Flight Path 

Auto Flight Path Command 

Manual Flight Path Command 
Target Flight Path 


Process Architectural Assignments 
Generate Flight Path Command 


Expl name _ 

Generate Flight Path Cmd Auto Auto-Flight System 

Generate Flight Path Cmd Manual Pilot 

Copilot 
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Process Descriptions 

Flight Cntrl Sys Pitch Context 


Description Expl name 


This function contains all the flight control functions assigned to Flight Cntrl Sys Pitch Functns 

the FCS . As a result of this assignment several new functions are 

created. Some of these are interface functions and others are as a 

result of how functions were allocated to AEs. (ie. Envelope 

Protection was assigned to the FCS with a probability of failure 

<10E-6. However this function requires <lOE-9. Therefore the pilot & 

copilot must perform envelope protection when not being performed by 

the FCS. Thus a pilot indication function of the status of envelope 

protection is generated.) Pilot a copilot can command roll rate, 

thus there is a functional req. to resolve control contention. 


Data Flow Description 
Flight Cntrl Sys Pitch Context 


Description Name 

Flight path command generated in an automated fashion (ie by a Auto Flight Path Command 

computer system) . 

Longitudinal trim command generated automatically during enhanced Auto Longitudinal Trim Command 

manual control and autoflight control. 


This flow is a resistance force exerted by the controller which is a Copilot Flight Path Cmd Feel For 
feedback to the copilot indicative of the flight path angle command. 


This flow is the physical force generated by the copilot to control Copilot Flight Path Cmd Force 
the aircraft flight path angle. It is in the form of a force exerted 
by the pilot's hand. 

This is the physical force exerted by the copilot's hand to generate Copilot Longitudinal Trim Force 
the desired longitudinal trim command. 


The physical signal created by the pilot to control the aircraft Pilot Flight Path Cmd Force 

flight path. It is in the form of a force exerted by the pilot. 

This flow is a resistance force exerted by the controller which is a Pilot Flight Path Feel Force 

feedback to the pilot indicative of the flight path command. 


This flow is the physical force exerted by the pilot's hand to Pilot Longitudinal Trim Force 

generate the desired longitudinal trim command. 

Position of the actuator(s) which provide aircraft pitch maneuver and Pitch Actuator Position 
trim control . 


Process Requirements Links 
Flight Cntrl Sys Pitch Context 


Expl name 

I -L Reference 

Page 

Flight Cntrl Sys Pitch Functns 

F.C. S.P.F. 1 

131 

F.C.S.P.F.2 

132 
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Pilot and co-pilot contention resolution (F.C.S.P.F.l) 

Pilot and co-pilot longitudinal control contention shall be resolved. 

(This functional requirement arises because the generate manual 
flieht path command was assigned to both the pilot and copilot AEs) 


Envelope Protection Mode Indication and Alert (F.C.S.P.F.2) 

Indication shall be provided to inform the pilot when an envelope protection mode has be- 
come active. An alert indication shall inform the pilot of loss of an envelope protection 
function. The loss of an envelope protection function and the failure to inform the pilot of 
the loss shall be extremely improbable. (FAR 25.672(a)) 

(This functional requirement was generated because the pilot is responsible for envelope 
protection when not provided automatically.) 
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Process Descriptions 

Flight Cntrl Sys Pitch Functns 


Description 


This transform displays the longitudinal trim status to the crew. 

This transfora results froa the allocation of Provide Longitudinal 
Envelope Protection to the FCS with a probability of loss of function 
of <10E-6 . Pitch envelope protection has a req for probability of 
loss of function <10E-9 and thus the crew has responsibility for 
pitch envelope protection when not performed by the FCS. Thus the 
crew aust be aware of envelope protect status, hence the functional 
requirement to Display Longitudinal Envelope Protect Status. 

This process generates the pitch actuator (elevator fr stabilizer) 
position commands based on the flight path angle and longitudinal 
tria commands. 

This function limits the autopilot control authority and protects 
against failures (in particular hardover and oscillatory failures) in 
the autopilot. 

This transform receives the desired pitch actuators positions and 
attempts to aove the actuators to those positions. 

This transform provides the same capability for the copilot as the 
Provide Pilot Pitch Interface does for the pilot. 

This transform converts the signal received from the pilot in the 
form of a force exerted by the pilot into a flight path angle command 
signal to be used by the FCS. It also provides the pilot with a 
feedback feel force indicative of the command. 

This transform monitors the aircraft states and modifies the flight 
path angle command as necessary to satisfy the longitudinal envelope 
protection requirements. 

This function monitors the aircraft flight path state vector and 
attitudes and generates a warning for the crew when approaching the 
aircraft stall angle of attack. 

This transform was generated by the assignment of the Generate Flight 
Path Command Manual to both the pilot & copilot. 


Data Flow Description 

Flight Cntrl Sys Pitch Functns 


Description 


The sensed 4 dimensional flight path & attitudes of the aircraft as 
well as any other sensed values necessary to satisfy the control 
requirements . 

Flight path command generated in an automated fashion (ie by a 
computer system) . 

Longitudinal trim command generated automatically during enhanced 
manual control and autoflight control. 

This flow it a resistance force exerted by the controller which is a 
feedback to the copilot indicative of the flight path angle command. 

This flow it the physical force generated by the copilot to control 
the aircraft flight path angle. It is in the form of a force exerted 
by the pilot's hand. 

Numeric value of the copilot flight path command obtained from the 
Copilot Flight Path Cmd Force. 

Numeric value of the copilot longitudinal trim command obtained 
from the Copilot Longitudinal Trim Force. 

This is the physical force exerted by the copilot's hand to generate 
the desired longitudinal trim command. 

The desired pitch actuator (elevator) position such that the limited 
flight path angle command is achieved. 

This flow is the longitudinal trim position displayed to the crew. 

The status of the longitudinal envelope protection function assigned 
to the FCS 
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Expl name 

Display Longitudinal Trim Posit. 
Display Pitch Envlp Protct Stats 

Generate Pitch Actuator Command 

Limit Auto Pitch Commands 

Move Pitch Actuators 

Provide Copilot Pitch Interface 

Provide Pilot Pitch Interface 

Provide Long. Envelope Protect 
Provide Stall AOA Warning 
Resolve Pitch Control Contention 

Name 

Actual Flight Path 

Auto Flight Path Command 
Auto Longitudinal Trim Command 
Copilot Flight Path Cmd Feel For 
Copilot Flight Path Cmd Force 

Copilot Flight Path Command 

Copilot Longitudinal Trim Cmd 

Copilot Longitudinal Trim Force 

Desired Fitch Actuator Position 

Displayed Longitudinal Trim Pcs 
Dsplyd Long Envlp Prctct Status 


Data Flow Description 

Flight Cntrl Sys Pitch Functns 


Name 


Description _ 

All forces (in particular environmental forces) other than the 
actuation forces acting on the aerodynamic braking system. 

The automatically generated flight path command limited to the 
autoflight pitch authority. 

The flight path command limited such that envelope protection is not 
violated . 

Activity and availability of the longitudinal envelope protection 
function. 


Position of the longitudinal trim actuator. 


Flight path angle command generated manually (ie by the crew). 


The physical signal created by the pilot to control the aircraft 
flight path. It is in the form of a force exerted by the pilot. 


Numeric value of the pilot's flight path angle command obtained 
from the Pilot Flight Path Cmd Force. 


This flow is a resistance force exerted by the controller which is a 
feedback to the pilot indicative of the flight path command. 


Numeric value of the pilot's longitudinal trim command obtained 
from the Pilot Longitudinal Trim Force. 


This flow is the physical force exerted by the pilot's hand to 
generate the desired longitudinal trim command. 

Position of the actuator(s) which provide aircraft pitch maneuver and 
trim control . 


This flow is the audible and visual indication to the crew that the 
aircraft is approaching the stall angle of attack. 


External Forces on Pitch Actuato^ 

Limited Auto Flight Path Command 

Limited Flight Path Command 

Longitudinal Envlop Protect Stat 

Longitudinal Trim Position 
Manual Flight Path Command 
Pilot Flight Path Cmd Force 

Pilot Flight Path Command 

Pilot Flight Path Feel Force 

Pilot Longitudinal Trim Command 

Pilot Longitudinal Trim Force 

Pitch Actuator Position 

Stall Angle of Attack Warning 


Process Requirements Links 
Flight Cntrl Sys Pitch Functns 


Expl name I-L Reference 

Display Longitudinal Trim Posit. 

Display Pitch Envlp Protct Stats 

Generate Pitch Actuator Command 

Limit Auto Pitch Commands L.A.F.C.l 

Move Pitch Actuators 

Provide Copilot Pitch Interface 

Provide Long. Envelope Protect P.L.E.P.l 

P.L.E.P.2 


Provide 

Provide 

Resolve 


Pilot Pitch Interface 

Stall AOA Warning P.S.A.W.l 

Pitch Control Contention R.P.C.C 1 
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Pilot and co-pilot contention resolution (R.P.C.C.l) 

Pilot and co-pilot longitudinal control contention for sidestick controllers shall be resolved 
as follows. 

a) Pilot and copilot commands of same sign chose larger command. 

b) Pilot and copilot commands of opposite sign add commands algebraically. 

c) In the event of a controller jam the function shall operate as though the jammed con- 
troller were in the detent position. 
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Process Descriptions 
Provide Pilot Pitch Interface 


Description 

This transform translates the physical displacement of the pitch 
controller into a flight path command. 

This transform generates a force to feedback to the pilot which is 
indicative of the pitch maneuver and trim commands. 

This transform converts the physical displacement generated by the 
physical force exerted by the pilot into a trim command for use by 
the FCS . 

This transform receives the pilot force and feedback feel force and 
generates a displacement. 


Expl name 

Translate Flight Path Displ-Cmd 
Generate Flight Path Feel Force 
Translate Long Trim Force to Cmd 

Convert Flight Path Forces-Displ 


Data Flow Description 
Provide Pilot Pitch Interface 


Description 

Numeric value of the manual flight path angle command obtained from 
the flight path angle controller displacement. 

This flow is the flight path angle command in the form of the 
controller displacement. 

This flow is the resistance force exerted by the controller which is 
a feedback to the pilot indicative of the flight path command. 

This is the physical signal created by the crew (pi lot /copi lot ) to 
control the aircraft flight path angle. It is in the form of a 
physical force exerted by the pilot. 

Numeric value of the pilot's longitudinal trim command obtained 
from the pilots longitudinal trim command force. 

The physical force generated by the pilot to generate the desired 
longitudinal trim. 


Name 

Flight Path Angle Command 
Flight Path Command Displacement 
Flight Path Command Feel Force 
Flight Path Command Force 

Longitudinal Trim Command 
Longitudinal Trim Force 


Process Requirements Links 
Provide Pilot Pitch Interface 


£xpl name I-L Reference 


Convert Flight Path Forces-Displ C.F.P.F.l 

Generate Flight Path Feel Force G.F.P.F.F.I 

G.F.P.F.F.2 
G.F.P.F.F 3 


Translate Flight Path Displ-Cmd 

Translate Long Trim Force to Cmd T.L.T.F.C.l 
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Longitudinal Controller Deflection Rates (C.F.P.F.l) 

No force discontinuities or other objectionable characteristics 
command rates. 


shall occur for all controller 
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Longitudinal Feel Forces (G.F.P.F.F.l) 

G.F.P.F.F.1.1 Breakout Forces 

Sidestick controller breakout force shall be within 0.5 to 5.0 lbs for normal operation. 
Minimum acceptable: Sidestick controllers shall have a breakout force range of 0.5 lbs 
to 10.0 lbs. (MH^F-8785C 3.5.2. 1 Class III) 

G.F.P.F.F.l. 2 Maneuvering Controller Forces 

1) At constant speed in steady turning flight, pullups and pushovers, the variation in 
pitch controller force with steady-state normal acceleration shall have no objectionable 
nonlinearities within the following load factor range: 

Minimum Maximum 

0.5 0.5[no(+) + 1] 

where no(+) * maximum service positive load factor. 

Outside this range, a departure from linearity resulting in a local gradient which differs 
from the average gradient for the maneuver by more than 50 percent is considered exces- 
sive, except that larger increases in force gradients are permissible at load factors greater 
than 0.85 nLlMlT. (MIL-F-8785C 3. 2. 2. 2.1) 

2) All local force gradients shall be within the following limits: 

Minimum Gradient Maximum Gradient 

Centerstick 3.0 lbs/g 28.0 lbs/g 

Wheel Controller 35.0 lbs/g 120.0 lbs/g 

In addition the force gradient should be near the upper boundary for combinations of high 
frequency and low damping. (MIL-F-8785C 3. 2. 2. 2.1) 

G.F.P.F.F.l. 3 Configuration Change Controller Forces 

a) The longitudinal trim changes caused by changes in power, flap setting, landing 
gear operation, deceleration devices, etc., should not be so large that peak longitudinal 
control forces in excess of 10 lbs for center stick controller or 50 lbs for wheel controller 
push or pull are required for compensation under normal flight conditions. This objective 
shall apply to a time interval of at least 5 seconds following the completion of the pilot 
action initiating the configuration change. (MIL-F-8785C 3. 6. 3.1) (FAR 25.145(b)) 

G.F.P.F.F.l. 4 Speed Change Controller Forces 

a) The average gradient of the stable slope of the stick force versus speed curve may not 
be less than 1 pound for each 6 knots for the conditions specified in FAR 25.175. (FAR 
25.173(c)) For a sidestick controller the value is 0.5 lb per 6 knots (1/2 the value of 
conventional controllers). 
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b) There may be no control reversal about any axis at any speed up to Vdf/Mdf. An) 
reversal of elevator control force or tendency of the airplane to pitch, ro , or r yaw ' mus e 
mild and readily controllable, using normal piloting techniques. (FAR 25.253(a )(3)) 

G.F.P.F.F.1.5 Mistrim Maneuvering Forces 

In the out-of-trim condition specified below, it must be possible from an ovcrspeed 1 con- 
dition at Vdf/Mdf to produce at least 1.5 g for recovery by applying not more than 125 
pounds for wheel controller or 60 pounds for centerstick (1/2 the value of conventual 
controllers) using the primary longitudinal control. (FAR 25.255(f)) 

From an initial condition with the airplane trimmed at cruise speeds up to Vmo/Mmo. 
obtain the most out-of-trim nose-up and nose-down conditions resulting from the greater 

1) A three second movement of the longitudinal trim system at its normal rate for the 
particular flight condition with no aerodynamic load, except as limited by stops in the 

t™ system ^ can ^ sustaine d by the autopilot while maintaining 

level flight in the high speed cruising condition. 

G.F.P.F.F.1.6 Controller Forces - Stall 

The longitudinal control force must be positive up to and throughout the stall. (FAR 

25.203) ~ 

G.F.P.F.F.1.7 Dynamic Control Forces 

a) The buildup of control forces during maneuver entry shall not lag the buildup of 
normal acceleration at the pilot's location. In addition, the frequency response of 
normal acceleration at the pilot station to pitch control force input shall be such that 
the inverse amplitude is greater than the following at frequencies greater than 1.0 rad/sec. 
(MIL-F-8785C 3. 2. 2. 3.1) 


ONE-HANDED 

CONTROLLERS 

(lbs/g) 


NORMAL 

14 


MINIMUM ACCEPTABLE 
8 


n 


LIMIT 


-1 


"limit 1 
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Enhanced Control Maneuver Control Forces (G.F.P.F.F.2) 

a) Sidestick Force per g 


Sidestick forces shall provide tactile cues that allow the pilot to maneuver the airplane 
precisely. Sidestick forces shall also provide an indication to the pilot of the proximity 
of pitch maneuver load factor to structural limits. The pitch sidestick controller shall 
include a change in force versus deflection gradient at a specified ’’soft stop.” 
Maneuver limit load shall be commanded with stick forces near the soft stop. The 
pilot shall be able to command load factors in excess of limit load at his discretion in 
emergency situations by applying higher forces to the sidestick controller. The maneuver 
stick force per g shall comply with the requirements below for stick forces less than 
those of the soft stop. (MEL-F-8785C 3.2.2. 2.1) 


Right Condition 

F s /g - lb/g 

Minimum 

Maximum 

Landing & Approach 

3 

28 

Climb, Cruise & Descent 

3 

28 


b) Takeoff Rotation Forces 

Sidestick control forces during normal takeoff rotation shall not exceed 25 lbs. (This is 
half the value of conventional controllers of MIL-F-8785C 3. 2. 3. 3.2 for Class ID 
aircraft.) 

c) Landing Flare Forces 

Sidestick control forces during normal landing flare shall not exceed 25 lbs. (This is half 
the value of conventional controllers of MIL-F-8785C 3.2. 3. 4.1 for Class D3 aircraft.) 
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Longitudinal Controller Centering (G.F.P.F.F.3) 

Positive control centering shall be provided in all modes. (MIL-F-8785C 3. 5. 2.1) A 
mechanical or electrical detent equivalent to 10 lbs (TBV) of sidestick controller force 
shall be provided during autopilot control to preclude inadvertent pilot inputs. 
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Longitudinal Trim Control (T.L.T.F.C.l) 

Trim control shall be operable by each of the pilots without removing hands from the 
longitudinal controllers. 

An alternate trim control command path operable by both crew members shall be 
provided. (MIL^F-8785C 3.6.1) 

Means to manually deactivate the trim function shall be provided. (MIL-F-9490D 3. 1.3. 5) 
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Process Descriptions 
Control Roll 


Description 


Display roll trim position to the crew. 

This process generates the roll actuator (aileron / spoiler) position 
commands based on roll rate & trim commands. 

This function compares the target flight path and actual flight path 
and generates necessary roll rate command to drive the actual to the 
target . 

This transform generates roll trim commands to offset asymmetries such 
as engine out, engine loss and lateral winds. 

This function limits the autopilot control authority and protects 
against failures (in particular hardover or oscillatory failures) in 
the autopilot. 

This transform receives the desired roll actuator position and 
attempts to move the roll actuator to that position, 

This transform monitors actual roll angle and commanded roll rate and 
and modifies the roll rate command as necessary to prevent the roll 
angle from exceeding certain limits. 


Data Flow Description 
Control Roll 


Description 


The sensed 4 dimensional flight path & attitudes of the aircraft as 
well as any other sensed values necessary to satisfy the control 
requirements . 

Roll rate command generated in an automated fashion (ie by an 
autoflight computer) . 

Roll trim command generated automatically for use during enhanced 
manual control and autoflight control. 

The desired roll actuator position such that the limited roll rate 
command is achieved. 

This flow is the roll trim position displayed to the crew. 

All forces (in particular environmental forces) other than the 
actuation forces acting on the aerodynamic braking and roll actuation 
system . 

The auto roll rate command limited to the autoflight roll authority. 

The roll rate command limited such that the envelope protection 
criteria are not violated. 

Roll rate command generated manually (ie by the crew). 

The roll trim command as generated by the crew for normal control. 

The trim provides a steady state roll angle to offset asymmetries. 

Position of the system which makes the aircraft roll. 

Airplane roll angle. 

Position of the roll trim actuator. 

The desired 4 dimensional flight path and attitudes generated by 
some navigation function. 


Expl name 

Display Roll Trim Position 
Generate Roll Actuator Command 

Generate Roll Rate Command 

Generate Roll Trim Command 
Limit Auto Roll Commands 

Move Roll Actuator 

Provide Roll Envelope Protect 


Name 

Actual Flight Path 

Auto Roll Rate Command 

Auto Roll Trim Cmd 

Desired Roll Actuator Pos . 

Displayed Roll Trim Position 
External Forces on Actuator 

Limited Auto Roll Command 
Limited Roll Rate Command 

Manual Roll Rate Command 
Manual Roll Trim Command 

Roll Actuator Position 
Roll Angle 
Roll Trim Position 
Target Flight Path 
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Process Requirement s Links 
Control Roll 

Expl name I-L Reference 

Display Roll Trim Position 

Generate Roll Actuator Command 

Generate Roll Rate Command 

Generate Roll Trim Command 

Limit Auto Roll Commands L.A.R.C.l 

Move Roll Actuator 

Provide Roll Envelope Protect F.R.E.F.l 

F.R.E.F.2 
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Roll Autopilot Control and Limiting (L.A.R.C.l) 

a) Core lateral control shall provide autopilot control authority limiting and actuation to 
ensure safety for probable autopilot failure conditions. 

b) Maximum maneuver authority shall not result in the following, assuming a 4 second 
pilot delay in initiating recovery from any system malfunction: (FAR 25.1309) 

1) Bank angle greater than 60 degrees. 

2) Structural loads in excess of limit load due to hardover or oscillator} failures. 
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Automated Envelope Protection (P.R.E.P.l) 

Automated envelope protection shall be provided to 
a probability of loss of function < 10E-06. 


relieve pilot workload and shall have 
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Enhanced Control Roll Envelope Protection (P.R.E.P.2) 


The enhanced control mode shall provide roll envelope protection that shall satisfy the 
following requirements: 

a) Roll Angle Limits 

1) The roll envelope protection function shall operate to the following limits: 


Roll Angle 
Limit Type 


Lateral Controller 
Position 


Roll Angle Limit 
Value (Deg) 


Soft 


All 


+- 35 (TBV) 


Hard 


Out-of-Detent +- 60 (TBV) 


2) When the pilot’s lateral controller is returned to neutral following a maneuver beyond 
the soft limit, the airplane roll angle shall automatically decrease to 35 deg with the 
roll mode time constant specified in Paragraph C.M.F.21(b). 

3) If the airplane should be upset to a roll angle greater than 60 degrees, the roll 
envelope function shall use a pilot lateral controller input as an indication of the pre- 
ferred direction of roll even if that direction results in a roll angle change greater 
than the smallest that can be achieved. The roll back from the upset shall be to 35 
degrees. 

b) Response Characteristics 

1) The roll envelope protection function shall not prevent the pilot from attaining the 
maximum useful airplane performance. 

2) The roll envelope protection function shall comply with the roll mode time constant 
in Paragraph C.M.F.21(b). 

3) Control anticipation shall minimize the effect on maneuvers near the protection 
boundary. Dynamic overshoots of the boundaries shall be minimized consistent with the 
criticality of the limit. 
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Process Descriptions 
Generate Roll Rate Command 


Description 

This process involves the generation of a roll rate command 
automatically (ie by a computer) as a result of the difference 
between the actual and target flight path. 

This process involves the generation of a roll rate command manually 
(ie by the crew) as a result of comparing the target and actual 
flight paths. 


Expl name 

Generate Roll Rate Cmd. Auto 


Generate Roll Rate Cmd. Manual 


Control Process Descriptions 
Generate Roll Rate Command 


Description 

This process activates one of the 
depending on the mode engaged . 

This transform decides whether to 
manually or automat ical ly . 


roll rate generation processes 
generate flight path commands 


Expl name 

Engage Man/ Auto Operation 

Make Manual/Auto Flight Decision 


Data Flow Description 
Generate Roll Rate Command 


Description 

The sensed 4 dimensional flight path a attitudes of the aircraft as 
well as any other sensed values necessary to satisfy the control 
requirements . 

Roll rate command generated in an automated fashion (ie by an 
autoflight computer) . 

Roll rate command generated manually (ie by the crew). 


Name 

Actual Flight Path 

Auto Roll Rate Command 
Manual Roll Rate Command 


The desired 4 dimensional flight path and attitudes generated by Target Flight Path 

some navigation function. 


Process Architectural Assignments 
Generate Roll Rate Command 


Expl name 

Generate Roll Rate Cmd. Auto 
Generate Roll Rate Cmd. Manual 


associated aes 

Auto-Flight System 

Pilot 

Copilot 
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Process Descriptions 

Flight Cntrl Sys Roll Context 


Description 

This process contains all the flight control functions assigned to 
the FCS . as a result of this assignment several new processes are 
created. Some of these are interface functions and others are as a 
result of how functions were allocated to AEs. (ie. Envelope 
protection was assigned to the FCS with a probability of failure 
<10E-6 . However this function requires <10£-09. Therefore the pilot 

& 

by 


. HU* C > Cl V i U * » Vr * * v . « J 

copilot must perform envelope protection when not being performed 
the FCS Thus a pilot indication function of the status of 
velope protection is generated.) Pilot L copilot can command roll 


envelope prot 
rate, thus there is 


functional req. to resolve control contention. 


Data Flow Description 
Flight Cntrl Sys Roll Context 


Description 

Roll rate command generated in an automated fashion (ie b> an 
autoflight computer) . 

Roll trim command generated automatically for use during enhanced 
manual control anc autoflight control. 

This flow is a resistance force exerted by the controller which is a 
feedback to the copilot indicative of the roll rate command. 

This is the physical signal created by the copilot to control the 
aircraft. It is in the form of a force exerted by the pilots hand. 

This is the physical force exerted by the copilot's hand to generate 
the desired roll trim command. 

This flow is a resistance force exerted by the controller which is a 
feedback to the pilot indicative of the roll rate command. 

This is the phvsical signal created by the pilot to control the 
aircraft. It is in the form of a force exerted by the pilots hand. 

This is the physical force exerted by the pilot s hand to generate the 
desired roll trim command. 

Position of the system which makes the aircraft rcl^. 


Process Requirements Links 
Flight Cntrl Sys Roll Context 


Expl name I Reference 

Flight Cntrl Svs Roll Functns F.C.S.R.F1 

F.C.S.R.F.2 


Expl name 

Flight Cntrl Sys Roll Functns 


Name 

Auto Roll Hate Command 
Auto Roll Trim Cmd 
Copilot RR Cmd/ Feel Force 
Copilot Roll Rate Force 
Copilot Roll Trim Force 
Pilot RR Cmd. Feel Force 
Pilot Roll Rate Force 
Pilot Roll Trim Force 
Roll Actuator Position 
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Envelope Protection Mode Indication and Alert (F.C.S.R.F.l) 

Indication shall be provided to inform the pilot when an envelope protection mode has 
become active. An alert indication shall inform the pilot of loss of an envelope protection 
function. The loss of an envelope protection function and the failure to inform the pilot 
of the loss shall be extremely improbable. (FAR 25.672(a)) 

(This functional requirement was generated because the pilot is resposible for envelope 
protection when not provided automatically.) 
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Pilot and co-pilot roll control contention resolution (F.C.S.R.F.2) 

Pilot and co-pilot roll control contention shall be resolved. 

(This functional requirement arises because the generate manual 
roll rate command was assigned to both the pilot and copilot AEs) 
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Process Descriptions 

Flight Cntrl Sys Roll Functns 


Description 


Display roll trim position to the crew. 

This transform results from the allocation of Provide Roll Envelope 
Protection to the PCS with a probability of loss of function of 
<10E-6. Provide Roll Envelope Protection has a probability of loss of 
function of < 10E-9 and thus the crew has responsibility for roll 
envelope protection when not performed by the FCS. Thus the crew 
must be aware of envelope protect status, hence the functional 
requirement to Display Roll Envelope Protect Status. 

This process generates the roll actuator (aileron / spoiler) position 
commands based on roll rate & trim commands. 

This function limits the autopilot control authority and protects 
against failures (in particular hardover or oscillatory failures) in 
the autopilot. 

This transform receives the desired roll actuator position and 
attempts to move the roll actuator to that position. 

This transform provides the same function for the copilot as the 
Provide Filot Roll Interface does for the pilot. 

This functions converts the signal received from the pilot in the 
form of a force exerted by the pilots hand into a roll rate signal to 
be usee by the FCS. It also provides the pilot with a feedback feel 
force proportional to the commanded roll rate. 

This transform monitors actual roll angle and commanded roll rate and 
and modifies the roil rate command as necessary to prevent the roll 
angle from exceeding certain limits. 

This process was generated by the assignment of the Generate Roll 
Rate Cmd. Manual to both the pilot & copilot. 


Data Flow Description 
Flight Cntrl Sys Roll Functns 


Description 

■jhe sensed 4 dimensional flight path & attitudes of the aircraft as 
well as any other sensed values necessary to satisfy the control 
requirements . 

Roll rate command generated in an automated fashion (ie by an 
autoflight computer). 

Roll trim command generated automatically for use during enhanced 
manual control and autoflight control. 

This flow is a resistance force exerted by the controller which is a 
feedback to the copilot indicative of the roll rate command. 

Numeric value of the copilot roll rate command obtained form the 
copilot roll rate force. 

This is the physical signal created by the copilot to control the 
aircraft. It is in the form of a force exerted by the pilots hand. 

Numeric value of the copilot roll trim command as obtained from the 
copilot roll trim force. 

This is the physical force exerted by the copilot's hand to generate 
the desired roll trim command. 

This flow is the roll trim position displayed to the crew. 

Status of the availability and activity of the roll envelope 
protection function displayed to the crew. 

Roll rate command generated manually (ie by the crew). 

The roll trim command as generated by the crew for normal control. 
The trim: provides a steady state roll angle to offset asymmetries. 

This flow is a resistance fcrce exerted by the controller which is a 
feedback tc the pi let indicative of tne roll rate command 
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Expl name 

Display Roll Trim Position 
Display Roll Envlp Protct Stats 

Generate Roll Actuator Command 
Limit Auto Roll Commands 

Move Roll Actuator 

Provide Copilot Roll Interface 

Provide Pilot Roll Interface 

Provide Roll Envelope Protect 
Resolve Roll Control Contention 

Name 

Actual Flight Path 

Auto Roll Rate Command 

Auto Roll Trim Cmd 

Copilot RR Cmd. Feel Fcrce 

Copilot Roll Pate Command 

Copilot Roll Rate Force 

Copilot Roll Trim Command 

Copilot Roll Trim Force 

Displayed Roll Trim Position 
Dsplvd Roll Envlp Protct Status 

Manual Roll Rate Command 
Manual Roll Trim Command 

Pilot F H Cm.d Feel Force 



Data Flow Description 
Flight Cntrl Sys Roll Functns 


Name 


Description 


N^mericvilue of the pilots roll rate command obtained from the 
pilots roll rate force. 

Numeric value of the pilots roll trim command obtained from the 
pilots roll trim force. 

This is the physical force exerted by the pilot's hand to generate 
desired roll trim command. 

Position of the system which makes the aircraft roll. 

Airplane roll angle. 

Activity and availability of the roll envelope protection function. 
Position of the roll trim actuator. 


Pilot Roll Rate Command 

Pilot Roll Rate Force 

Pilot Roll Trim Command 

the Pilot Roll Trim Force 

Roll Actuator Position 
Roll Angle 

Roll Envelope Protect Status 
Roll Trim Position 


Process Requirements Links 
Flight Cntrl Sys Roll Fur.ctns 


Exp 1 name 

Display Roll Envip Protct Stats 
Display Roll Trim Position 
Cenerate Roll Actuator command 
Limit Auto Roll Commands 
Move Roll Actuator 
Provide Copilot Roll Interface 
Provide Pilot Roll Interface 
Provide Roll Envelope Protect 

Resolve Roll Control Contention 


I-L Reference 


L . A R . C . I 


F fi.E.F.l 
F . R E . P . 2 

F. . R . C . C . 1 
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Pilot and co-pilot contention resolution (R.R.C.C.l) 

Pilot and co-pilot lateral control contention for sidestick controllers shall be resolved as 
follows. 

a) Pilot and copilot commands of same sign chose larger command. 

b) Pilot and copilot commands of opposite sign add commands algebraically. 

c) In the event of a controller jam the function shall operate as though the jammed con- 
troller were in the detent position. 
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Process Descriptions 
Provide Pilot Roll Interface 


Description 

This process receives the pilot force and feedback feel force and 
generates a displacement. 

This transform generates a force to feedback to the pilot which is an 
indication of the commanded roll rate. 

This transform translates the sidestick controller displacement to a 
roll rate command. 

This process converts the physical displacement generated by the 
physical force exerted by the pilot into a trim command for use by the 

FCS. 


Data Flow Description 
Provide Pilot Roll Interface 


Descript ion 


This flow is a resistance force exerted by the controller which is a 
feedback to the pilot indicative of the roll rate command. 

This flow is the roll rate controller displacement in inches. 

This flow is the roll rate command in deg/sec. 

This is the physical signal created by the pilot to control the 
aircraft. It is in the form of a force exerted by the pilots hand. 

The command such that the airplane holds a small steady state roll 
angle to offset asymmetries. 


Process Requirements Links 
Provide Pilot Roll Interface 

Expl name I-L Reference 

Convert Roll Forces * Displ. C.R.F.D.l 

Cenerate Roll Feel Force G.R.F.F.l 

C.R.F.F.2 

G.R.F.F.3 

Translate HR D;spl to RR Command 
Translate Trim Force to Command T.T.F.C.l 


Expl name 

Convert Roll Forces - Displ. 
Generate Roll Feel Force 
Translate RR Displ to RR Command 
Translate Trim Force to Command 


Name 

RR Cmd.Feel Force 

Roll Rate Cmd . Dipl. 
Roll Rate Command 
Roll Rate Force 

Roll Trim Command 
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Lateral Controller Deflection Rates (C.R.F.D.l) 

No force discontinuities or other objectionable characteristics 
command rates. (MIL-F-8785C 3.5.3) 


shall occur for all controller 
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Lateral Feel Forces (G.R.F.F.l) 

G.R.F.F.1.1 General 

Roll control feel forces shall be designed for one-handed operation. 

G.R.F.F.l. 2 Normal Operation 

The roll control forces for sidestick controls shall be within 12 lbs to 20 lbs for inboard 
movement and 8 lbs to 20 lbs for outboard movement with preference for the lower end. 
Centerstick controller breakout forces shall be within .5 lbs to 4.0 lbs. (MIL-F-S7S5C 
3. 5. 2.1 Class ID aircraft) The maximum lateral control force (centerstick controller) 
shall be less than 20 lbs. (MIL-F-8785C 3. 3.4. 3) 
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Lateral Control Linearity (G.R.F.F.2) 

There shall be no objectionable nonlinearities in the variation of rolling response 
control deflection or force. Sensitivity or sluggishness in response .0 small control deflec 
tions or force shall be avoided. (MIL-F-8785C 3. 3.4. 4) 

Overall roll rate per sidestick force shall comply with the requirements t of GXJF.l ■ 
Controller sensitivity shall increase for larger stick forces as shown m Figure G.R.F.F.--1 
fn orfer to command roll rates needed to comply with the time-to-bank cmena of 
Paragraph C.M.F.17.2. while preventing sensitivity problems for small suck forces. 
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Controller Centering (G.R.RF.3) 

Positive control centering shall be provided in all modes. (MIL-F-8785C 3.5.2 1) A 
mechanical or electrical detent equivalent to 10 lbs (TBV) of sidestick control 
shall be provided during autopilot control to preclude inadvertent pi ot inputs. 


167 



Lateral Trim Control (T.T.F.C.l) 

a) Lateral trim shall be configured such that conventional pilot trimming techniques may 
be used. 

b) Trim inputs shall be in series with the pilot controller. 
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Process Descriptions 
Control Yaw 


Description 


This transform displays the position of the directional trio actuator 
to the crew. 

This process monitors the engine thrust and generates a yaw command 
to assist the pilot in compensating for an engine out situation. In 
particular it helps relieve pilot workload in takeoff and go around 
which are high pilot workload situations. 

This transform generates directional trim commands to offset 
asymmetries such as engine out and lateral winds. 

This process involves the generation of sideslip commands to allow 
for decrab for landings, performing coordinated turns and offsetting 
certain asymmetries. 

This process generates the sideslip actuator (rudder) position 
command based on the limited sideslip command, directional trim 
command and the engine out control augmentation command. 

This function limits the autopilot control authority and protects 
against failures (in particular hardover or oscillatory failures) in 
the autopilot. 

This transform receives the desired yaw actuator position and 
attempts to move the yaw actuator to that position. 

This function monitors the commanded sideslip and the actual sideslip 
and modifies the sideslip command to prevent the sideslip angle from 
exceeding unsafe limits. 


Data flow Description 
Control Yaw 


Description 

The sensed 4 dimensional flight path & attitudes of the aircraft as 
well as any other sensed values necessary tc satisfy the control 
requirements . 

Directional trim command generated automatically for use during 
enhanced manual control and autoflight control. 

Sideslip command generated in an automated fashion (ie by an 
autoflight computer). 

The desired yaw actuator position such that the limited sideslip 
and directional trim commands are achieved. 

Position of the directional trim actuator. 

This flow is the directional trim actuator position displayed to the 
crew . 

Automatically generated yaw command to assist the pilot in 
controlling the aircraft in an engine out situation. 

Thrust measurements of engines to determine capture engine out event. 

All forces (in particular environmental forces) other that the 
actuation forces acting on the yaw actuation system. 

The auto sideslip command protected against oscillatory failures and 
limited to autoflight authority. 

The sideslip command limited such that the sideslip envelope 
protection criteria are not violated. 

The directional trim command as generated by the crew for use during 
normal control to offset asymmetries. 

Sideslip command generated manually (ie by the crew). 

Airplane sideslip angle. 

The desired 4 dimensional flight path and attitudes generated by 
some navigation function. 

Position of the system which caused the aircraft to yaw (rudders). 
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Expl name 

Display Directional Trim Posit. 
Engine Out Control Augmentation 

Generate Yaw Trim Command 
Generate Sideslip Command 

Generate Yaw Actuator Command 

Limit Auto Sideslip Commands 

Move Yaw Actuator 

Provide Yaw Envelope Protect 

Name 

Actual Flight Path 

Auto Directional Trim Command 

Auto Sideslip Command 

Desired Yaw Actuator Position 

Directional Trim Position 
Displayed Directional Trim Pos 

ECA Yaw Command 

Engines Thrust 

External Forces on Yaw Actuator 

Limited Auto Sideslip Command 

Limited Sideslip Command 

Manual Directional Trim Command 

Manual Sideslip Command 
Sideslip Angle 
Target Flight Path 

Yaw Actuator Position 


Process Requirements Links 
Control Yaw 


Expl name 

Display Directional Trim Posit. 
Engine Out Control Augmentation 
Generate Sideslip Command 
Generate Yaw Actuator Command 
Generate Yaw Trim Command 
Limit Auto Sideslip Commands 
Move Yaw Actuator 
Provide Yaw Envelope Protect 


I-L Reference 
E.O.C. A. 1 

L.A.S.C.l 

P. Y.E.P. 1 
P. Y.E.P2 


Engine-Out Control Augmentation (ECA) (E.O.C.A.l) 

The ECA function shall comply with the following requirements: 

a) ECA shall be available in the enhanced mode except during ground operations where 
airspeed is below 60 knots and/or reverse thrust is used. 

b) The initial airplane yaw response after an engine-out, with ECA operational, shall 
be toward the failed engine. 
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Directional Autopilot Control and Limiting (L.A.S.C.l) 


The directional control system 
limiting to ensure safety during 


shall provide autopilot control actuation and authority 
any conceived failure condition. (FAR 25.1309(b)) 
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Sideslip Protection (P.Y.E.P.l) 

Sideslip protection shall function during all core and enhanced modes to prevent the 
airplane from exceeding sideslip angle excursions beyond maneuver requirements. 

a) Sideslip Angle Limits 

For commanded or uncommanded sideslip the maximum sideslip angle shall be 
controlled to limits scheduled on airspeed as shown in Figure P.Y.E. P.1-1. The actual 
sideslip values are TBD based on maneuvering (decrab and turn coordination) require- 
ments, lateral control considerations and structural considerations. These sideslip limits 
shall apply to all airplane configurations. Steady state slideslip angles within the lower 
boundary shall be available for sideslip maneuvers. Sideslip angle overshoots shall not 
exceed the upper boundary. 

b) Response characteristics 

1) The sideslip protection function shall not inhibit compliance with the enhanced 
yaw maneuver response requirements. 

2) The envelope protection function shall not prevent the pilot from attaining the 
maximum useful airplane performance. 

3) Control anticipation shall be included in the design to minimize the effect on 
maneuvers near the protection boundary. Dynamic overshoots of the boundaries shall be 
minimized consistent with the criticality of the limit. 
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Automated Directional Envelope Protection (P.Y.E.P.2) 

Automated directional envelope protection shall be provided to relieve pilot workload and 
shall have a probability of loss of function < 10E-06. 
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Process Descriptions 
Generate Sideslip Command 


Description 

This process involves the generation of a sideslip command 
automatically (ie by a computer). 

This process involves the generation of a sideslip command manually 
(ie by the crew) as a result of comparing the actual and desired 
flight path (including attitudes). 


Expl name 

Generate Sideslip Cmd. Auto 
Generate Sideslip Cmd. Manual 


Control Process Descriptions 
Generate Sideslip Command 


Description 

This process activates one of the sideslip generation processes 
depending on the mode engaged. 

This transform decides whether to generate sideslip and directional 
trim commands manually or automatically. 


Expl name 

Engage Man/Auto Operation Yaw 


Make Manual/Auto Flight Decision 


Data Flow Description 
Generate Sideslip Command 


Description 

The sensed 4 dimensional flight path & attitudes of the aircraft as 
well as any other sensed values necessary to satisfy the control 
requirement s . 

Sideslip command generated in an automated fashion (ie by an 
autoflight computer) . 

Sideslip command generated manually (ie by the crew). 

The desired 4 dimensional flight path and attitudes generated by 
tome navigation function. 


Name 

Actual Flight Path 

Auto Sideslip Command 

Manual Sideslip Command 
Target Flight Path 


Process Architectural Assignments 
Generate Sideslip Command 


Expl name 

Generate Sideslip Cmd. Auto 
Generate Sideslip Cmd. Manual 


associated aes 

Auto-Flight System 

Pilot 

Copilot 
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Process Descriptions 
Flight Cntrl Sys Yaw Context 


Description 

This process contains all the directional axis flight control 
functions assigned to the FCS. As a result of this assignment several 
new processes are created. Some are interface functions and other 
arise due to architectural assignments. Envelope protection was 
assigned to the FCS with prob. of failure < 10E-6, however the 
function requires <lOE-9. Therefore the crew must perform the 
function when not available from the FCS. Thus a crew indication 
function of envelope protect status was generated. Also, both pilot 
and copilot command sideslip and thus control contention must be 
resolved. 


Data Flow Description 
Flight Cntrl Sys Yaw Context 


Description 

Directional trim command generated automatically for use during 
enhanced manual control and autoflight control. 

Sideslip command generated in an automated fashion (ie by an 
autoflight computer) . 

The physical force exerted by the copilot to generated the desired 
directional trim command. 

This flow is a resistance force exerted by the controller which is a 
feedback to the copilot indicative of the sideslip command. 

The physical force exerted by the copilot to control the aircraft 
sideslip angle. 

This is the physical force exerted by the pilot's hand to generate 
the desired directional trim command. 

This flow is a resistance force exerted by the controller which is a 
feedback to the pilot indicative of the sideslip command. 

This is the physical force exerted by the pilot to command the 
aircraft sideslip. 

Position of the system which caused the aircraft to yaw (rudders) . 


Process Requirements Links 
Flight Cntrl Sys Yaw Context 


Expl name I-L Reference 

Flight Cntrl Sys Yaw Functns F.C.S.Y.F.l 

F.C.S.Y.F.2 


Expl name 

Flight Cntrl Sys Yaw Functns 


Name 

Auto Directional Trim Command 
Auto Sideslip Command 
Copilot Directional Trim Force 
Copilot Sideslip Cmd Feel Force 
Copilot Sideslip Force 
Pilot Directional Trim Force 
Pilot Sideslip Cmd Feel Force 
Pilot Sideslip Force 
Yaw Actuator Position 
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Directional Envelope Protection Mode Indication and Alert (F.C.S.Y.F.l) 

Indication shall be provided to inform the pilot when an envelope protection mode has 
become active. An alert indication shall inform the pilot of loss of an envelope protection 
function. The loss of an envelope protection function and the failure to inform the pilot 
of the loss shall be extremely improbable. (FAR 25.672)(a) 

(This functional requirement was generated because the pilot is resposible for envelope 
protection when not provided automatically.) 
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Pilot and Co-pilot Yaw Control Contention (F.C.S.Y.F.2) 
Pilot and co-pilot yaw control contention shall be resolved. 
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Process Descriptions 
Flight Cntrl Sys Yaw Functns 


Description 


This transform displays the position of the directional trim actuator 
to the crew. 

This transform results from the allocation of Provide Yaw Envelope 
Protection to the FCS with a probability of loss of function < 10E-6. 
Yaw Envelope Protection has a probability of loss of function < 10E-9 
and thus the crew has responsibility for yaw envelope protection when 
not performed by the FCS, hence the crew must be aware of the 
envelope protection status which leads to this functional 
requirement . 

This process monitors the engine thrust and generates a yaw command 
to ass:st the pilot in compensating for an engine out situation. In 
particular it helps relieve pilot workload in takeoff and go around 
which are high pilot workload situations. 

This process generates the sideslip actuator (rudder) position 
command based on the limited sideslip command, directional trim 
command and the engine out control augmentation command. 

This function limits the autopilot control authority and protects 
against failures (in particular hardover or oscillatory failures) in 
the autopilot. 

This transform receives the desired yaw actuator position and 
attempts to move the yaw actuator to that position. 

This function provides the same function for the copilot as the 
Provide Pilot Yaw Interface does for the pilot. 

This function converts the signal received from the pilot in the form 
of a force exerted by the pilots hand into a sideslip signal to be 
used by the FCS. It also provides the pilot with a feedback feel 
force proportional to the commanded sideslip angle. 

This function monitors the commanded sideslip and the actual sideslip 
and modifies the sideslip command to prevent the sideslip angle from 
exceeding unsafe limits. 

This process was generated as a result of the assignment of the 
Generate Sideslip Cmd Manual to both the pilot and copilot. 


Data Flow Description 
Flight Cntrl Sys Yaw Functns 


Description 


The sensed 4 dimensional flight path A attitudes of the aircraft as 
well as any other sensed values necessary to satisfy the control 
requirement s . 

Directional trim command generated automatically for use during 
enhanced manual control and autoflight control. 

Sideslip command generated in an automated fashion (ie by an 
auloflight computer). 

Numeric value of the copilot directional trim command as obtained 
from the copilot roll trim force. 

The physical force exerted by the copilot to generate the desired 
directional trim command. 

This flow is a resistance force exerted by the controller which is a 
feedback to the copilot indicative of the sideslip command. 

Numeric value of the copilot sideslip command obtained from the 
Copilot Sideslip Force 

The physical force exerted by the copilot to control the aircraft 
sideslip angle. 

The desired yaw actuator position such that the limited sideslip 
and directional trim commands are achieved. 

Position cf the directional trim actuator. 
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Expl name 

Display Directional Trim Posit. 
Display Yaw Envlp Protct Status 

Engine Out Control Augmentation 

Generate Yaw Actuator Command 

Limit Auto Sideslip Commands 

Move Yaw Actuator 

Provide Copilot Yaw Interface 

Provide Filot Yaw Interface 

Provide Yaw Envelope Protect 
Resolve Yaw Control Contention 

Name 

Actual Flight Path 

Auto Directional Trim Command 
Auto Sideslip Command 
Copilot Directional Trim Cmd 
Copilot Directional Trim Force 
Copilot Sideslip Cmd Feel Force 
Copilot Sideslip Command 
Copilot Sideslip Force 
Desired Yaw Actuator Position 
Directional Trim Position 


Data Flow Description 
Flight Cntrl Sys Yaw Functns 


Description 

Thir«ow‘irihe’dIrectIon«l trim actuator position displayed to t e 

crew . 

th ‘ 

=^“ “ 

ThiMtl of en*inss to d.t.r.io. •«*<«• •»«>”• “* 

n. . 0.0 co...nd protected .d.io.t o.oilUior, UW 

limited to autof light authority. 

The sideslip command limited such that the sideslip envelope 
protection criteria are not violated. 

The directional tri. command as generated by the crew for use during 
normal control to offset asymmetries. 

Sideslip command generated manually (ie by the ere ) 

Numeric value of the physical force exerted by the pilot s 
generate the desired directional trim command. 

This is the physical force exerted ^by the pilot's hand to generate 
the desired directional tnir, command. 

Numeric value of the pilot's sideslip command obtained from the 
Pilot Sideslip Force. 

This is the physical force exerted by the pilot to command the 
aircraft sideslip. 

Airplane sideslip angle. 

Position of the system which caused the aircraft to yaw (rudders). 
Activity and availability of the Provide Yaw Envelope Protection 
function. 


Name 

Displayed Directional Trim Pos 
Dsplyd Yaw Envlp Protct Status 
ECA Yaw Command 
Engines Thrust 

Limited Auto Sideslip Command 

Limited Sideslip Command 

Manual Directional Trim Command 

Manual Sideslip Command 
pilot Directional Trim Cmd 

Pilot Directional Trim Force 

Pilot Sideslip Cmd Feel Force 

Pilot Sideslip Command 

Pilot Sideslip Force 

Sideslip Angle 

yaw Actuator Position 

yaw Envelope Protect Status 


Process Requirements Links 
Flight Cntrl Sys Yaw Functns 


Expl name 

Display Directional Trim Posit. 
Display Yaw Envlp Protct Status 
Engine Out Control Augmentation 
Generate Yaw Actuator Command 
Limit Auto Sideslip Commands 
Move Yaw Actuator 


I-L Reference 


E.O.C. A. 1 
L.A.S.C.l 


Provide Copilot Yaw Interface 


Provide Pilot Yaw Interface 

Provide Yaw Envelope Protect py e!p.2 

Resolve Yaw control Contention R.Y.C.C.l 
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Pilot and Co-pilot Yaw Control Contention Resolution (R.Y.C.C.l) 
The pilot’s and co-pilot’s pedals shall be bussed together. 
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Process Descriptions 
Provide Pilot Ye* Interface 


Description 

This process receives the pilot force and feedback feel force and 
generates a displacement. 

This transform generates a force to feedback to the pilot which is an 
indication of the commanded sideslip angle. 

This transform translates the displacement (rudder pedal) to a 
sideslip command. 

This process converts the physical displacement generated by the 
physical force exerted by the pilot into a trim command for use by 
the FCS. 


Data Flow Description 
Provide Pilot Yaw Interface 


Description 

The directional trim command in degrees. 

The physical force exerted by the pilot to generate the desired 
directional trim. 

The manually generated sideslip command in degrees. 

The sideslip controller (rudder pedal) displacement in inches. 

This flow is a resistance force exerted by the controller which is a 
feedback to the pilot indicative of the sideslip command. 

The physical signal in the form of a force created by the pilot to 
control the aircraft sideslip angle. 


Process Requirements Links 
Provide Pilot Yaw Interface 


Expl name 

Convert Yaw Forces - Displ. 

Generate Sideslip Feel Force 

Translate Direc Trim Force/Cmd 
Translate Sideslip Displ to Cmd 


I-L Reference 


C.Y.F.D. 1 
C.Y.F.D.2 

G.S.F.F.l 

G.S.F.F.2 

T.D.T.F.C. 1 


Expl name 

Convert Yaw Forces - Displ. 
Generate Sideslip Feel Force 
Translate Sideslip Displ to Cmd 
Translate Direc Trim Force/Cmd 


Name 

Directional Trim Command 
Directional Trim Force 

Sideslip Command 

Sideslip Command Displacement 

Sideslip Feel Force 

Sideslip Force 
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Pilot Directional Control (C.Y.F.D.l) 


Maximum available rudder travel at all flight conditions shall normally be obtained by a 
rudder pedal deflection of TBD inches. 
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Directional Controller Deflection Rates (C.Y.F.D.2) 

No force discontinuities or other objectionable characteristics shall occur for all controller 
command rates. (MIL-F-8785C 3.5.3) 
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Directional Feel Forces (G.S.F.F.l) 

a) The total pedal breakout force shall be between 1 lb and 14 lbs 
(MIL-F-8785C 3.5. 2.1) 

b) The maximum pedal force shall not exceed approximately 150 
application and 20 lbs for prolonged application. (FAR 25.143) 


including friction, 
lbs for temporary 
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Directional Controller Centering (G.S.F.F.2) 

Positive control centering shall be provided in all modes. (MIL-F-8785C 3. 5. 2.1) 
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Directional Trim Control (T.D.T.F.C.l) 

a) The directional trim system implementation sha„ be consistent with conventional pilot 
trimming techniques for all-engine and eng.ne-out situations. 

b) Trim inputs shall be in series with the pilot pedals. 
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Architecture Element Requ 
The System 


Expl name 
Aircraft 

Flight Environment 


I-L Reference 


irement s 


















Expl name 
Airframe System 
Auto-Flight System 
Copilot 

Flight Control System 
Pilot 

Propulsion System 
Sensor Systems 


Architecture Element Requirements 
Aircraft 

I-L Reference 


Flight .Control . Sys . Req . List 


Flight.Control.Sys.Req.List 

F.C.S.l Control System Signal Transmission 

F.C.S.2 System Requirements Under Failure Conditions 

F.C.S.3 Control System Separation 

F.C.S.4 Control System Sensors 

F.C.S.5 Control System Actuation 

F.C.S.6 System Test Requirement 

F.C.S.7 Control Transients 

F.C.S.8 Control Force Harmony and Coordination 
F.C.S.9 Control Surface Position Indication 
F.C.S.10 Flight Control System Caution and Warning 
F.C.S.l 1 Control System Invulnerability 
F.C.S.12 Operational Exposure Requirement 

F.C.S.13 Longitudinal Control Reliability Requirements with Failure Conditions 
F.C.S.14 Lateral Control Reliability Requirements with Failure Conditions 
F.C.S.15 Directional Control Reliability Requirements with Failure Conditions 
F.C.S.l 6 Directional Control System 

F.C.S.l 7 High Lift Control Reliability Requirements with Failure Conditions 
F.C.S.l 8 Aerodynamic Braking Reliability Requirements with Failure Conditions 
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Control System Signal Transmission (F.C.S.l) 

The FCS signals between the sensors, computers and the surface actuators shall be trans- 
mitted by high speed electrical or optical data buses. Redundant and dissimilar paths 
shall be provided to meet the FCS safety requirements. Redundant transmission channels 
shall, to the extent practical, use separate paths to minimize the possibility of simultane- 
ous damage. (MIL-F-9490D 3. 1.3.1 & 3.2. 3. 3) 
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System Requirements Under Failure Conditions (F.C.S.2) 

The flight control system shall as a minimum meet the requirements of Part 25 of the 
Federal Aviation Regulations. The requirements pertaining to system operation following 
failures is reproduced verbatim as follows: 

FAR 25.671(b) 

Each element of each flight control system must be designed, or distinctively and perma- 
nently marked, to minimize the probability of incorrect assembly that could result in the 
malfunctioning of the system. 

FAR 25.671(c) 

The airplane must be shown by analysis, test, or both to be capable of continued safe 
flight and landing after any of the following failures or jamming in the flight control 
system and surfaces (including trim, lift, drag, and feel systems) within the normal flight 
envelope, without requiring exceptional piloting skill or strength. Probable malfunctions 
must have only minor effects on control system operation and must be capable of being 
readily counteracted by the pilot. 

1) Any single failure, excluding jamming (for example, disconnection or fail- 
ure of mechanical elements, or structural failure of hydraulic components, such as actua- 
tors, control spool housing, and valves). 

2) Any combination of failures not show-n to be extremely improbable, ex- 
cluding jamming (for example, dual electrical or hydraulic system failures, or any single 
failure in combination with any probable hydraulic or electrical failure). 

3) Any jam in a control position normally encountered during takeoff, climb, 
cruise, normal turns, descent, and landing unless the jam is shown to be extremely im- 
probable, or can be alleviated. A runaway of a flight control to an adverse position and 
jam must be accounted for if such runaway and subsequent jamming is not extremely 
improbable. 

FAR 25.671(d) 

The airplane must be designed so that it is controllable if all engines fail. Compliance 
with this requirement may be shown by analysis where that method has been shown to be 
reliable. 


FAR 25.672(b) 

The design of the stability augmentation system or of any other automatic or power-oper- 
ated system must permit initial counteraction of failures of the type specified in 25.671(c) 
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without requiring exceptional pilot skill or strength, b> either the deactnation o ) 

tern or a failed portion thereof, or by overriding the failure by movement of the flight 

controls in the normal sense. 


FAR 25.672(c) 

It must be shown that after any single failure of the stability augmentation system or any 
other automatic or power-operated system. 

1) The airplane is safely controllable when the failure or malfunction occurs a. any 

speed or altitude within the approved operating limitations that is critical for the type of 
failure being considered; 

o) The controllability and maneuverability requirements of this Part are met within a 
practical operational flight envelope (for example, speed, altitude normal acceleration, 
and airplane configurations) which is described in the Airplane Flight Manual; and 

3) The trim, stability, and stall characteristics are not impaired below a level needed to 
permit continued safe flight and landing. 


FAR 25.729(f) 

Equipment that is essential to safe operation of the airplane and that is located in wheel 
wells must be protected from the damaging effects of; 

1) A burstine tire, unless it is shown that a tire cannot burst from overheat; and 

2) A loose tire tread, unless it is shown that a loose tire tread cannot cause damage. 


FAR 25.1309(a) 

The equipment, systems, and installations whose functioning is required by this subchap, 
ter, must be designed to ensure that they perform their intended functions under an) 
foreseeable operating condition. 


FAR 25.1309(b) 

The airplane systems and associated components, considered separately and in relation to 
other systems, must be designed so that: 

1) The occurrence of any failure condition which would prevent the continued safe flight 
and landine of the airplane is extremely improbable, and 

V The occurrence of anv other failure condition which would reduce the capability of 
ihe airplane or the ability of the crew to cope with the adverse operating conditions is 

improbable. 
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Control System Separation (F.C.S.3) 


The control system design shall use physical separation, functional separation and electri- 
cal isolation between redundant flight control elements and between the flight control 
system and other systems to the maximum extent practical to safeguard the integrity of 
redundant flight control channels. (MIL-F-9490D 3. 2. 3. 1.2) Sources of common mode 
failures to be considered include: 

Failure of local structure 
Engine or APU burst 

Environmental conditions such as temperature or fluid contamination 
Flight crew or maintenance crew errors 
Electromagnetic interference 
Lightning strike 

a) Dement Separation 

It shall be a requirement to separate control elements and signal transmission paths of 
redundant channels to the extent practical to minimize the possibility of simultaneous 
damage to more than one control channel. 

b) Functional Partitioning 

If different control functions are combined in an LRU, functional partitioning shall be 
used to the extent practical to minimize the possibility of failure of one function affecting 
the performance of the other functions. 

c) Failure Propagation 

Separation and isolation shall be provided to prevent failure of a subsystem or component 
from degrading the performance of an interfacing subsystem or component that has a 
higher level of criticality for safety. Nonessential system failures shall not affect essential 
or critical systems. Essential system failures shall not affect critical systems. It shall be a 
requirement to minimize failure propagation between systems or elements with similar 
criticality. 
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Control System Sensors (F.C.S.4) 

The flight control system shall be designed to minimize the number of sensors required 
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Control System Actuation (F.C.S.5) 

The flight control surfaces shall be actuated by electrical or hydraulic power. Control 
surface authority, rates, and dynamic characteristics shall satisfy the handling qualities, 
envelope protection and structural design requirements. 

a) Buzz and Rutter Requirements 

The actuation system shall provide adequate stiffness to satisfy the buzz and flutter re- 
quirements. (MIL-F-9490D 3.1.11.2 & 3.2. 6.7. 3) 

b) Multiple Actuator Requirements 

In essential and flight phase essential flight control actuator installations employing multi- 
ple connected servoactuators, the actuators shall be synchronized as necessary to assure 
specified performance and durability as specified in MIL-F-8785C 3.1.11.3 in the struc- 
ture between actuators without undue structural weight penalties. (MIL-F-9490D 
3. 2. 6. 4. 4) 
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System Test Requirement (F.C.S.6) 

a) Preflight Test 

An automated preflight test shall be provided. It shall have the capability to test the flight 
control system and its interfaces and annunciate dispatch status to the crew. No control 
surface motion shall occur during the test. (MIL-F-9490D 3. 1.3.9. 1.1) 

1) Preflight test coverage shall be 98% or greater for those elements essential for 

flight safety. , 

2) Preflight test coverage shall be 100% for those elements critical for flight safety. 

3) Preflight test shall be inhibited at speeds above low speed taxi. 

4 ) Preflight test from start to completion shall not require longer than 2 minutes. 

b) Flight Control Freedom of Motion Test 

A crew activated freedom of motion test shall be provided that confirms proper operation 
of the FCS without flight crew monitoring of the control surface indicators. 

(MIL-F-9490D 3. 1.3. 9.1) 

c) Maintenance Test 

A maintenance test shall be provided and interfaced with the central on-board mainte- 
nance control and display panel. (M1L-F-9490D 3. 1.3. 9. 1.2) 
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Control Transients (F.C.S.7) 


Failures 

The following events shall not cause dangerous or intolerable flying qualities: 
(MIL-F-8785C 3.5.5) 

a) Complete or partial loss of any function of the augmentation system following a 
single failure. 

b) Failure-induced transient motions and trim changes either immediately after failure 
or upon subsequent transfer to alternate control mode. 

c) Configuration changes required or recommended following failure. 

Failure Induced Transients 

With controls free, the airplane motions due to failures described above shall not exceed 
the following limits for at least 2 seconds following the failure, as a function of the level 
of flying qualities after the failure transient has subsided: (MIL-F-8785C 3. 5. 5.1) 

NORMAL (after failure): ±0.5g incremental normal or lateral acceleration at the pilot’s 
station and ±10 degrees per second roll rate, except that neither stall angle of attack nor 
structural limits shall be exceeded. 

MINIMUM ACCEPTABLE (after failure): No dangerous attitude or structural limit is 
reached, and no dangerous alteration of the flight path results from which recovery is 
impossible. 

Transfer to Alternate Control Modes 

The transient motions and trim changes resulting from the intentional engagement or 
disengagement of any portion of the primary flight control system by the pilot shall be 
such that dangerous flying qualities never result. (MIL-F-8785C 3.5.6) 

Transfer Transients 

With controls free, the transients resulting from the situations described above shall not 
exceed the following limits for at least 2 seconds following the transfer: (MEL-F-8785C 
3. 5. 6.1) 

Within the Normal Operational Flight Envelope: ±0.1g normal or lateral acceleration at 
the pilot’s station and ±3 degrees per second roll rate. 

Within the Permissible Flight Envelope: ±0.5g at the pilot’s station, +5 degrees per second 
roll rate, the lesser of ±5 degrees sideslip and the structural limit. 
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Control Force Harmony & Coordination (F.C.S.8) 

The pitch and roll control force and displacement sensitivities and breakout forces shall 
be harmonious so that inputs to one control axis will not cause inadvertent inputs to the 
other. (MIL-F-8785C 3.4.4) 

The following control forces are considered to be maximum for temporary application 
of simultaneous forces: (MIL-F-8785C 3.4.4. 1 & FAR 25.143) 


TYPF CONTROLLER 
Sidestick 
Wheel controller 
Pedal 


PITCH ROLL YAW 

50 Lbs 25 Lbs 

75 Lbs 40 Lbs 

150 Lbs 
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Control Surface Position Indication (F.C.S.9) 


Control surface position indication shall be provided for those control surfaces necessary 
for safe takeoff, flight and landing unless the failure of a surface to respond to a pilot 
input can be detected by other means from within the flight deck. (FAR 25.1309(c), FAR 
25.1329(b)) 
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Flight Control System Caution and Warning (F.C.S.10) 

A clear distinguishable caution/waming indication shall be provided for any failure in the 
nigh” ontrol systems which could result in an unsafe condition if the p.lo, were no, aware 

of the failure. (FAR 25.672(a)) 
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Control System Invulnerability (F.C.S.ll) 

a) Invulnerability to Environment 

1) The control system shall retain normal performance when subjected to ambient or 
induced environment extremes established for the system including the effects of tem- 
perature, vibration, shock, and EMI. (FAR 25.1309) 

2) The control system shall retain minimum acceptable performance or better when 
subjected to lightning or static electricity discharge extremes established for the airplane 
and systems. Wiring shall be shielded and protected to limit the lightning induced tran- 
sient level to less than 600 volts. The control system shall be protected against the effects 
induced by the multiple high current pulses or strokes associated with a lightning flash. 
(FAR 25.1309, FAR 25.581) 

b) Invulnerability to Electrical Power Transients 

The FCS electronics shall continue to operate satisfactorily during normal or abnormal 
temporary disruptions in the electrical power system such as those caused by transfer of 
power from ground to airplane sources and transfers caused by electrical failures which 
cause circuit breaker trips and consequent reconfiguration of electrical power source and 
routing to alternative airplane electrical power buses. ( MIL-F-9490D 3. 2. 4. 1.1) 
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Operational Exposure Requirement (F.C.S.12) 

The flight control system shall operate correctly through all phases of flight and ground 
handling exposure including: 

a) Power up in any combination or sequence of circuit breaker or switch selection. 

b) Power up with degraded ground power supplies. 

c) Engine or APU start in any sequence. 

d) System cockpit checks. 

e) Pushback. 

f) Taxi, including high speed taxi and turns. 

g) Brake release and rejected takeoff. 

h) Takeoff, climb, cruise, descent, hold, approach, go-around, land and rollout. 

i) Eneine or APU shutdown in any combination or sequence. 

j) Storage or park for any length of time in environment extremes established for the 
system. 

k) Exposure to continuous maintenance operation or troubleshooting. 

l) Exposure to simulated in-air operation on the ground without causing an unusual or 
unindicated personnel hazard exposure. 

m) System functional checks. 
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Longitudinal Control Reliability Requirements with Failure Conditions (F.C.S.13) 

a) The following failure conditions shall be extremely improbable: (FAR 25.1309) 

1) Elevator or stabilizer surface hardover or slowover 

2) Oscillatory failure in excess of structural limits 

3) Loss of flutter preventive actuation stiffness 

4) Loss of core system control of both elevators 

5) Asymmetric elevator in excess of limit load 

6) Feel forces greater or less than those required for minimum acceptable control. 

b) No single failure, including jams, shall cause loss of elevator command capability 
from both pilot’s stations. (FAR 25.671, FAR 25.1309) 

c) With controls free, the airplane motions due to any single failure shall not exceed + .5 
g normal acceleration at the pilot’s station for at least 2 seconds following the failure. 
(MIL-F-8785C 3.5.5. 1) 
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Lateral Control Reliability Requirements with Failure Conditions (F.C.S.14) 

a) No single hydraulic or electrical power source failure shall result in an uncommanded 
deflection of aileron or spoiler panels. (FAR 25.671(c)) 

b) No single failure including jams shall cause loss of command capability from both 
pilot stations. (FAR 25.671(c)) 

c) No single failure shall allow a control surface to assume a hardover position unless it 
can be shown that the hardover is controllable and does not produce unacceptable excur- 
sions. (FAR 25.671(c)) 

d) Oscillatory aileron or spoiler failures shall be extremely improbable. (FAR 25.1309) 

e) No single failure or combination of failures shall result in a trim runaway unless it can 
be shown to be extremely improbable. (FAR 25.1309) 
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Directional Control Reliability Requirements With Failure Conditions (F.C.S.15) 

a) No single failure, excluding jams, shall result in complete loss of rudder command 
capability (including trim) from both pilot stations. (FAR 25.671(c)) 

b) No single failure or combination of failures not shown to be extremely improbable 
shall result in the following: (FAR 25.1309) 

1) Trim runaway. 

2) Sustained rudder surface hardover to blowdown. 

3) Oscillatory rudder surface at critical frequency and amplitude. 
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Directional Control System (F.C.S.16) 

The directional control system shall be configured such that pilot use .of 
pedals for maneuvering including crosswind and engine- u 
consistent with conventional piloting techniques. 


215 



High Lift Control Reliability Requirements with Failure Conditions (F.C.S.17) 

a) With full loss of drive system power all leading edge and trailing edge devices shall 
remain in the last position attained at the time of failure. (FAR 25.697(a), FAR 
25.697(b)) 

b) No single failure in the drive system shall cause a flap segment to depart the airplane. 
(FAR 25.671(c)) 

c) For probable failures, full extension and retraction of all high lift devices shall be 
available, using normal procedures to the greatest extent practical, although the actuating 
time may be increased. (FAR 25.671(c)) 

d) The failure of one set of high lift devices, leading edge or trailing edge, shall not 
preclude control of the other set. 

e) No single failure or combination of failures that cannot be shown to be extremely 
improbable shall cause inadvertent retraction or extension or missequencing of any of the 
high lift devices if it requires unusual pilot skill or strength for continued safe flight and 
landing. (FAR 25.697(b), FAR 25.671(c)) 

f) No single failure or combination of failures that cannot be shown to be extremely 
improbable shall cause asymmetric operation of leading edge or trailing edge devices if it 
requires unusual pilot skill or strength for continued safe flight and landing. (FAR 
25.1309) 
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Aerodynamic Braking Reliability Requirements with Failure Conditions (F.C.S.18) 

a) No sinele failure or combination of failures not extremely improbable shall result in 
hazardous symmetric or asymmetric speed brake operation in response to a speed brake 
command. (FAR 25.671) 

b) No single failure or combination of failures not shown to be extremely improbable 
shall result in an uncommanded speed brake operation which would have an unacceptable 
effect on airplane performance or controllability. (FAR 25.671) 
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Architecture Element Requirements 
Flight Control System 


Expl name 
Aileron System 
Displays 

Elevator Stabilizer System 

Flight Control Computer 
High Lift Config- Controller 
High Lift System 

Rudder Pedals 
Rudder System 
Sidestick Controllers 

Speed Brake Controller 
Spoiler System 


1-L Reference 
A.S.l 


E.S.S.l 

E. S.S.2 

F. C.C.l 

H.L.C.C.l 

H.L. S. 1 
H.L.S. 2 

R.P. 1 

R. S.l 

S. C. 1 
S. C. 2 

S.B.C.l 

S. S. 1 
S.S. 2 
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Aileron Mechanical Travel, Design Hinge Moments and Rates (A.S.l) 

1) The lateral control system shall be designed to give the following rate, deflection and 
hinge moment capabilities with all hydraulic or electrical systems operating normally. 

The aileron actuators shall be sized to give full deflection at TBD speed and shall 
give 90% of full deflection in TBD seconds. 

2) Aileron peak rates shall not reduce more than TBD% with only one actuator active. 
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Longitudinal Control System (E.S.S.l) 

The following control system requirements are for airplanes where longitudinal 
provided by an elevator and stabilizer (if required). 


3 ) The elevators shall be capable of reaching 90% of maximum travel m TBD seconds 
Jilh all hydraulic systems operating and with considerauon of utilization of the contra 
on the other axes. Peak rates shall no. reduce more than TBD% with only one actuator 

active. 


b) There 
Vdf/Mdf 


shall be sufficient design hinge moment to obtain elevator 
to perform the 1.5 g mistrim dive recovery specified in FA ( )■ 
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Trim Control System Actuation (E.S.S.2) 

The stabilizer shall remain in the last selected position under the full range of operatin 
loads following complete failure of all power sources. (FAR 25.677(c)) 




Control System Computation (F.C.C.l) 

a) The FCS computation and sample rates shall be established at a level which ensures 
that the dieital computation process will not introduce unacceptable phase shift, round off 
error, nonlinear characteristics or aliasing into the system response. At the time of sys- 
tem acceptance, the total time used in flight control computations for worst case condi- 
tions shall not exceed 75 percent of the available computation time allocated for flight 
control use. Physical memory shall be sized such that at least 25 percent is available for 
growth at the time of acceptance. (MIL-F-9490D 3. 2. 4. 3. 2) 

b) Flieht critical computation shall utilize dissimilar hardware and software to meet the 
FCS safety requirements. 

c) Software utilized in the FCS electronics shall be designed, tested and documented in a 
manner to show compliance with RTC.A DO-17SA ’'Software Considerations in Airborne 
Svstems and Equipment Certification . 
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Manual High Lift Control (H.L.C.C.l) 

a) Wing leading edge and trailing edge devices shall be normally controlled through a 
single flap/slat controller. 

b) The high lift device controls shall be designed and located to provide convenient 
operation and to prevent confusion and inadvertent operation. (FAR 25.777(a)) 
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Trailine Edge Flaps Design Deflection and Rates (H.L.S.l) 

a) Flaps shall have a maximum deflection of TBD degrees under operating load. 

b) Hieh lift extend 'retract rates shall give satisfactory flight and p erforr " a "« 
characreristics under steady or changing conditions of airspeed, engine power 

plane attitudes. Hieh-lift system operating rates shall be chosen in conjunction i i 
choice of speed schedules for flap extension and retraction the stall warning speed 
schedules, and the flap placard and flap load alleviation spee s. to proxi 

A. leas, level flight capability after complete retraction of the high-lift devices from the 
maximum landing flap position has been initiated from steady, straight, level flight a 
, 2Vs, with simultaneous application of full take-off thrush 
a. critical combinations of landing weights and altitudes. (FAR .5.145(0) 

c) Any single engine failure shall no. significantly affect flap extension and retraction 


limes. 
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Leading Edge High Lift Device Actuation Rate (H.L.S.2) 

a) High lift extend/retract rates shall give satisfactory flight and performance 
characteristics under steady or changing conditions of airspeed, engine power and 
airplane attitudes. High-lift system operating rates shall be chosen in conjunction with 
the choice of speed schedules for flap extension and retraction, the stall warning speed 
schedules, and the flap placard and flap load alleviation speeds, to provide: 

At least level flight capability after complete retraction of the high-lift devices from the 
maximum landing flap position has been initiated from steady, straight, level flight at 
1.2VS, with simultaneous application of full take-off thrust, with the gear extended and at 
critical combinations of landing weights and altitudes. (FAR 25.145(c)) 

b) Any single engine failure shall not significantly affect slat extension and retraction 
times. 



Pilot Yaw Control (R.P.l) 

The pilot inputs shall be applied through a pair of pedals for each pilot. Individual 
pi!ot-to-pedal adjustments to accommodate pilots ranging in heights from 5’2” to 6 3” 
shall be provided. (FAR 25.777(c)) 

Crew trim control shall be provided via trim switches accessible to both pilots. 
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Rudder System (R.S.l) 

Ninety percent of full deflection shall be available in no more than TBD seconds at the 
highest speed design condition with TBD utilization of the lateral control surfaces and 
TBD utilization of the elevator. 

System Performance with Failure Conditions (FAR 25.671(c)) 

a) The rudder power actuation system shall be designed with sufficient redundancy 
such that with any single hydraulic or electrical system inoperative there shall be no 
degradation in minimum control speeds or crosswind takeoff and landing capability. 

b) Sufficient rudder capability shall remain with two hydraulic or electrical systems 
inoperative to maintain heading at the takeoff safety speed, V2, with the most critical 
engine inoperative in the takeoff configuration. 
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Pilot Longitudinal Control (S.C.l) 

Control inputs shall be provided by a small controller at each pilot station 

Normal crew trim control shall be provided by means of trim switches on each pilot 
controller. 

An alternate crew trim command path shall be provided by means of trim switches 
accessible to both crew members. (M1L-F-9490D 3. 1.3. 5) 


229 


Pilot Lateral Control (S.C.2) 

Control inputs shall be provided by a small controller at each pilot station. 
Crew trim control shall be provided via trim switches accessible to both pilots. 
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Speed Brake Controller (S.B.C.l) 

Control of speed brakes during in-flight and on-ground opera,, on 
provided by a single speedbrake control access, ble to both pilot and cop, 


shall be 
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Spoiler Deflections (S.S.l) 

The flight spoilers shall be capable of simultaneous deflection on both wings for use as 
inflight and ground speed brakes with modulation about this operating point for 
roll control. 
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Spoiler Mechanical Travel, Design Hinge Moments and Rates (S.S.2) 

The lateral control svstem shall be designed to give the following rate, deflection and 
hinee moment capabilities with all hydraulic or electrical systems operating normally. 


The spoiler actuators shall be sized to provide the control capability required to satisfy 
Parattraohs CMF17 The roll sensitivity with full speedbrake command shall meet 
fheTquirements of Paragraph T.R.D.C.1 They shall give 90S of full deflection 
in TBD seconds at the low speed design condition with TBD utilization of the rudder 


and TBD utilization of the elevator. 
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5.0 ESML Problems, Dendencies, 
and Recommendations 

During .his study functional requiems for an adviced High, condo! system were derived using 
a structured approach based on the Extended Systems Modeling Language (ESML). Th 
functional requirements were decomposed from the top-level function, Fly Miss, on. Dearie, 
performance requirements were then added to these functional requirements . based on existing 
regulatory agency requirements and specifications. This effort pmvided valuable experience w„h 
this particular technique for the design and validation of cridcal systems. Some observations are 

discussed in this section. 

There were problems applying the performance requirements to the decomposed functions. 1, was 
relatively easv to apply the regulatory agency requirements to high- eve unctions, 
decomposing die system-level performance requirements into lower level requirements that w 

ensure that the high-level needs were satisfied proved difficult. Additionally, many o te eai 

requirements resulted from implementation considerations associated w„h specific design c o.c 
or decisions. This is unavoidable because many of the regulatory agency requirements are based 
on traditional or conventional system implementations. I, should be noted that the organization o 
the performance requirements resulting from their allocation to the decomposed functional 
requirements is less concise and more repetitive than die organization of die same reqmremen.s ,n 

the source documents. 

I, is useful to discuss the set of structured requirements in terms of the 1APSA II study. In that 
effort major control functions were defined with applicable sensors, actuating devices, and update 
rates These control functions were allocated to a candidate archttecture concept, an ey 
performance and reliability evaluations wete accomplished. To perform these evaluations it was 
necessary to relate die operation of the major control functions to thetr purpose tn the system; these 
evaluations were feasible only because the major control functions were clearly tied to certain 
operational capabilities. The current se, of structured requirements suffers by comparison because 
the functions are not as obviously connected to an operational concept. This could be reme le 
finding a way to more closely relate the mission analysis results to the decomposed functions. 

A, some point in the design process, control laws must be designed in accordance with the 
structured functional and performance requirements. During this effort, standard contro a 
analysis techniques are used to satisfy the high-level performance requirements. The resulting 
control laws may be organized by operational modes to satisfy the needs found during the mission 
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analysis. The functional and performance requirements resulting from the control law design are 
suitable for the performance and reliability evaluation of the type accomplished for 1APSA II. 

One weakness of the set of structured requirements in terms of design for validation principles is 
the lack of visibility into the specific design decisions that drive the design. For example, the 
defined envelope protection functions do not involve the use of thrust control. This is the result of 
a design decision or ground rule that cannot be traced through the structured set of requirements. 
Similarly, an autoflight control function clearly interfaces with the flight control system, but the 
design decision to allocate to the flight control system responsibility for limiting the autoflight 
maneuver demands is not explicit. Methods that allow traceability of requirements to design 
decisions within the structured technique framework need to be explored. 

Some functions that are candidates for implementation in an advanced flight control system involve 
aircraft-level tradeoffs with nonavionic functions. For example, incorporation of an active control 
function such as wing load alleviation has an impact on the vehicle structural requirements. The 
current set of structured requirements does not contain the functional requirements or supporting 
performance requirements for nontraditional active control functions. If any such alternative 
designs are to be considered, their high-level requirements should be included in the baseline 
requirement set. 

The structured approach handles the flightcrew functions and responsibilities somewhat 
awkwardly. The handling qualities performance requirements are based on the direct pilot-in-the- 
loop control of the aircraft flightpath. Thus this crew role is implicitly allocated very' early in the 
function decomposition process. On the other hand, the pilot and copilot appear as architectural 
elements in the flight control system roll, pitch, and yaw context diagrams much later in the 
function decomposition process. As a result, several transforms are added that are associated with 
crew interface functions. 

This brings up a significant point with respect to the structured approach. If the vast majority of 
traditional flightcrew roles are assumed to be unchanged in the advanced aircraft, it might be more 
effective to consistently treat the crew as a dataflow "terminator." In this scheme only crew 
functions or roles that fall into a well-defined "domain for change" would need to be decomposed 
in detail. The key point is that the flightcrew plays a dominant role as systems integrator and 
manager in traditional aircraft operation. Therefore a great deal of effort is required to decompose 
all the flightcrew functions. If allocation of all the flightcrew functions is deferred until after the 
function decomposition process, then all traditional aircrew functions must be described in the 
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high-level diagrams for explicit allocation. The latter approach would dramatically increase the 
scope of the functional decomposition effort compared to the current structured requirements set. 
If the flightcrew role changes are minor, this will largely be wasted effort. 

The set of structured requirements includes several numerical reliability allocations. The current set 
does not support traceability' of these allocations to their source requirements. Qualitative reliability 
allocations (probable, improbable) or criticality assessments (safety critical, mission critical, etc.) 
might be more appropriate until the functions are allocated to architectural elements. Numerical 
reliability allocations are usually more meaningful in the content of a specific implementation 
design. A supporting reliability tool such as SURE, CARE HI, FTREE, or HARP can then be 
used to demonstrate that the reliability allocations would ensure that the implemented function can 
meet the system needs. 
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6.0 Excelerator Problems, Deficiencies, and 
Recommendations 


In addition to the experience gained using the ESML approach to define advanced fltght conno 
requirements, this effort also provided experience using the Excelerator tool tn an ESML 
environment. Some of the key problems, deficiencies, and recommendattons that came to l.g 
during this effort are described in this section. 


1 . The tool should have the capability to flag any elements on a transform graph that have not 
been described (i.e., defined and entered into the project database). 

2 The tool should be able to check for the lack of a given type of detailed requirement (i.e., 
performance, availability, reliability, safety) for any type of transform graph entity (re- 
transforms. data flows, control flows). This would force the user to be ngorous and to 
address all the types of detailed requirements for each entity on a transform graph. 

3 The tool should have some artificial intelligence built into the system so that it can check for 
features such as balancing and assuring that all elements are described. In other words it 
should automatically generate some of the the reports the engineer might produce and then 
check these automatically for inconsistencies and omissions. It would be 
background at all times and would continually monitor the database and alert the engineer to 

possible problems in a timely manner. 

4 If a transform graph has several transforms that use the same external data flows the user 
must currently define an external intetface for that data flow for each of the transforms, t 
should be possible to specify only one external interface for the data flow and have „ flow to 
each of the transforms using it. Similarly, if several transforms produce the same data flow, 
i, should be possible to have these merge into one external interface as opposed to havmg to 
define an interface for each transform. Such a feature would greatly enhance manua 

balancing of transform graphs. 

5 Balancing of data flows from the parent transform graph to the child transform graph should 
not only work for data flows that are elements but also for data flows that are a record o 
elements. Thus, if roll angle is an interface to a child transform, and there is a data ow 
control variable .ha, is a record of elements including roll angle into the parent transform, the 
tool should consider them balanced. Currently the tool does not make this kind of chec 
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6. Graphics could be greatly improved. Currently, what you see is not what you get. To see 
what will be printed it is necessary to zoom in to particular sections of the figure. It should 
be possible to see the entire figure on the screen as it will be printed. This is particularly 
important with respect to the placement of labels for data flows. 

7 . The menu-driven capability could be greatly enhanced by allowing the user to move from one 
kind of analysis directly to another without always having to go back to the main menu. An 
even better approach is to allow the user to have several processes running concurrently with 
a different capability in each, so that the user can pop back and forth between capabilities 
without always having to back out of one before entering the next. 

8. It should be possible to explode an expansion document graph fragment to the appropriate 
document graph in the same manner as a transform is exploded to another transform graph. 

9. The tool should allow one to do analysis not only on a given transform graph but also on a 
tree of transform graphs. For example, one might want to generate an entity list for a given 
transform graph and all the transform graphs below that level (i.e., all its children). 

10. The tool should have a provision to allow the user to generate generic templates of a report. 
The user would specify a key word that would generate a unique report with the report name, 
entity list, transform graph name, header for the report, etc., based on the key word. 

1 1. The tool should have a provision to generate document graphs for all children of a given 
transform graph based on the document graph defined for the parent. That is, the tool would 
automatically generate the document graphs of the same form as that defined for the parent 
for each child and would change transform graph name, entity lists, and report headers as 
appropriate. 

12. The tool does not currently support all the graphical elements that may appear on a transform 
schema. In particular, it does not support intermittently available flows, signals and 
prompts. 

1 3. The tool does not currently balance control transforms against control specification, nor does 
it balance flow transforms against primitive specifications. 
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14. The tool needs the capability to provide a template for specifying flow transform primitive 
specifications using text, tables, pseudocode, block diagrams, functions, PDL, etc. 
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Abstract 

Current approaches to systems design frequently 
result in large, incremental costs during system in- 
tegration testing and service introduction to re- 
move design errors that were introduced during 
the requirements and design phases of the life-cy- 
cle. This study was conducted to assess the possi- 
bility of reducing system development cost by 
elimination or early detection of design errors 
through the use of a systematic design approach. 
The study indicates that such possibilities do exist 
and should be exploited. 

Introduction 

As avionics and flight systems become ever more 
complex the problems of systems design become 
more pronounced. The most nagging problems 
appear to be; 1) making the system meet the real 
operational requirements of the user and; 2) mak- 
ing sure that the system behaves in a predictable 
manner to changing operational conditions. When 
reviewing design data from existing projects there 
appears to be a lack of integration between user 
requirements and system design requirements. 
This is a contributing cause to the first problem. 
When design requirements are documented pri- 
marily as textural material, supplemented by an 
assortment of figures, it is difficult to be precise 
and rigorous, and to establish traceability. This 
lack of an effective means of documenting systems 
engineering work is a contributing cause to both 
classes of system design problems. 


Figure 1 illustrates how- a major airline views these 
problems. Most design errors are introduced early 
in the development cycle and removed late in the 
development cycle or after the product is put into 
service. This supports the observations regarding 
the lack of integration between user requirements 
and svsiein design requirements and the lack of 
ricor in the requirements formulation. Coding er- 
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Figure 1 Development Error Characteristics 


rors are those errors that result from a lack of at- 
tention to detail w'hen implementing a system de- 
sign. Although this chart addresses software devel- 
opment it is representative at the system level as 
we ll since most advanced flight system designs are 
based on the extensive use of digital processors. 


If design errors could be avoided or detected early 
in the development cycle, when removal costs are 
low, rather than late in the development cycle, 
when removal costs are high, considerable devel- 
opment cost reductions could be realized. A sys- 
tematic approach to system design can accomplish 
this. A key ingredient to a systematic design ap- 
proach is an in-depth analysis of the process at 
hand, e.g. to operate an aircraft. The analysis re- 
sults are used to evolve a system architecture de- 
sign and design requirements for the components 
that make up the system. The other key ingredi- 
ent is an integrated project data base where all 
engineering design data is stored in a common for- 
mat that promotes rigor and traceability, analo- 
gous to that used in machine design or software 
design. 


A-l 


Appendix A 


Approach, Notation, and Rules 

This paper will concentrate on introducing an ap- 
proach, a notation, and a set of rules that are can- 
didates for use in system design. A simple exam- 
ple will illustrate the concepts. It will illustrate that 
user requirements and system design requirements 
can be captured using the same approach, nota- 
tion, and set of rules. 

The first step is to identify the task, e.g. fly mis- 
sion, for which a system will be developed to pro- 
vide crew support. The task will be analyzed to 
identify each component process with its output 
and input flows, the need to store flows, and the 
need for process control, i.e. the need to activate/ 
de-activate processes. In most cases the output 
flow’s from one process are used as input flow’s to 
other processes. At this point it is immaterial if a 
process is to be performed by the crew or by on- 
board systems that support the crew. Thai deci- 
sion will be made later. 

The results are documented using a notation that 
is graphic since it has been proven that pictorial 
representations of concepts are more easily under- 
stood than written descriptions. Figure 2 show's an 
example of hou' one small pan of the "fly mis- 
sion " task analysis is documented using a graphic 
notation where shapes are used to represent proc- 
esses, input and output flows, and stores where 
flow’s are held for future use. A complete defini- 
tion of a notation and a set of rules is published in 

[ii 

Each process is given a descriptive label that indi- 
cates what it does. Each flou and store is given a 
descriptive label that indicates what it is. The use 
of graphics shonens the time needed to document 
the results of a process analysis. It would take a 
rather lengthy prose statement to describe every- 
thing that is documented in Figure 2. Likewise, 
documents relying extensively on graphics require 
less effort to comprehend. The bold-lined shape 
will be referenced later in this paper. 
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Figure 2 Example of Graphic Notation 
for Process Analysis Documentation 

date rate. For more complex flow’s simple attrib- 
utes like range, resolution and update rate will not 
suffice. If a flow represents a report then require- 
ments on the subject of that report must be docu- 
mented. The term domain is used to mean what is 
to be included in a flow. As the domain of the 
flow' becomes more expansive, quality require- 
ments become more complex than simply defining 
a few parameters. Requirements levied agains: 
processes may address process performance and 
safety. Conceptually this is shown in Figure 3. It 



Once processes, flow's, and stores, have been de- 
fined requirements can be levied against each of 
these entities. For example the requirements lev- 
ied against flows may address attributes like range 
of a parameter measurement or resolution and up- 


Figure 3 Examples of Requirements 
Levied Against Flows and Processes 

must be made very clear that the requirements 
levied against a process, or flow, or a store must 
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be chosen to suit the needs of the project. The 
requirements classes used in this example were se- 
lected as representative. 


In most cases the first set of processes identified in 
an analysis are top level abstractions. Each of 
these processes can, in turn, be the subject of an 
analysis that results in a more detailed definition 
of the original processes in terms of component 
processes, flows, and stores. Figure 4 shows the 
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Figure 4 Sample Output from 
Process Analysis 


quirements pertaining to a process, subject to a 
process analysis, must be considered when formu- 
lating the process definition. The successive analy- 
ses of processes and flows resulting in ever more 
detailed levels of requirements lead to the com- 
monly used term Structured Analysis for this ap- 
proach. 

The concept of repetitive structured analysis is il- 
lustrated in Figure 5. Each new " level" adds de- 
tail to the design requirements. Requirements, e.g. 
a performance requirement, levied against a 
higher level process are " distributed” as more de- 
tailed requirements amongst the lower level proc- 
esses once these processes are defined. 

Since the graphical notation very precisely identi- 
fies processes and stores and how they are con- 
nected by flows, rules can readily be established 
for permissible constructs on a diagram as well as 
for traceability between a process with its input 
and output flow’s and the diagram that further de- 
tails it. By enforcing notation and rules the prob- 
ability of omitted requirements, unsupported re- 
quirements, or inconsistent requirements can be 
greatly reduced as will the risk for mis-communi- 
cation between organizations and individuals. 

When the task under analysis, i.e. fly mission is 
adequately detailed in terms of component proc- 
esses, stores, and flows a design study can be con- 
ducted to determine w’hich of the processes will be 
performed by a man-made system and w'hich 


processes will be performed by the crew. Assume 
results of an analysis of the process "Measure the processes involved in measuring a bearing 

Bearing" which was shown in Figure 2.A11 re- (Figure 4), as a result of a design study, are as- 
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Figure 5 Illustration of the Repetitive Structured Analssis Concept 
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signed to the pilot and to an airborne navigation 
receiver. 

The pilot and the airborne navigation receiver are 
classified as architecture entities, and are repre- 
sented by graphic shapes on an architecture inter- 
connect diagram as shown in Figure 6. Line seg- 

INTERCONNECT ARCHITECTURE 



• Intercept Signal •Get Tuning Data 

• Compute Bearing * Check Tuning Validity 

Record Measured Bearing 

Navigation System 

Figure 6 Example of Graphic Notation 
for Architecture Design Documentation 

ments are used to indicate the existence of func- 
tional interfaces between the architecture entities, 
i.e. interconnect indicators. The process assign- 
ment is listed next to the architecture entities. 
There is a tendency by engineers to make assump- 
tions about the human (user) pan of the problem 
that are not necessarily founded on a thorough 
analysis. The importance of understanding the 
processes to be performed by the user of the sys- 
tem is just as great as understanding the processes 
to be performed by the system, particularly when 
the process assignments result in complex func- 
tional interfaces between the user and the system. 


Architecture entities, once defined, may have re- 
quirements and drawings associated with them as 
summarized in Figure 7. For example environ- 



Figure 7 Example of Requirements 
Levied Against Architecture Entities 


mental requirements may be levied against each 
architecture entity of the system. In some cases 
requirements to use a certain technology may be 
levied against architecture entities. 


When the process assignment is completed the in- 
terface definition between the architecture entities 
can be extracted from data already generated as is 
illustrated in Figure 8. By conceptually drawing a 



Figure 8 Sample Output from 
Process Analysis 

line around the process(es) and/or stores assigned 
to an architecture entity, sets of processes and/or 
stores are defined. The functional interface re- 
quirements between the architecture entities are 
defined by the flows that connect each of the sets. 
For example, the tuning frequency must be passed 
between the pilot and the receiver. Tuning valida- 
tion data and bearing must be passed from the 
receiver to the pilot. This establishes the interface 
between the pilot and the receiver. In general the 
interface definition becomes a fall-out of the ar- 
chitecture design process. 

Depending on the selected system architecture, 
additional processes may have to be added to 
make the system function. For example. Intercep- 
tion of VOR Signals and Processing of Bearing 
Measurement Data were assigned to the naviga- 
tion receiver. Pan of the design process must ad- 
dress the physical implementation of information 
flow. Decisions on this issue must be made and 
documented. For example the physical represen- 
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tation of the Tuning Frequency in the mind of the 
Pilot is different from the physical representation 
of that same information in the Receiver. To ac- 
commodate this a design decision is made to let 
ihe pilot rotate a tuning knob to indicate to the 
system that the tuned frequency must change. The 
system will display the instantaneous, tuned fre- 
quency to the pilot as part of the Bearing Meas- 
urement Display. It will also display the measured 
bearing and a signal quality indicator. Another de- 
sign decision requires the addition of a process 
that outputs an audio signal that carries a Nav 
Transmitter Ident. As a result three processes. 
Convert Pilot Entry, Display Bearing Measure- 
ment Data, and Sound VOR Ident have been 
added as required processes to make the system 
perform its intended function, see Figure 9. 
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Figure 9 Examples of Flow 
Format Conversion Processes 


This leads to another concept of a structured de- 
sign approach. There are processes that are ge- 
neric, i.e. they are pan of the overall task irre- 
spective of the system architecture and process as- 
signment and there are processes that are dictated 
by architecture design decisions. The generic 
processes will change only when the overall task 
changes while the architecture dependent proc- 
esses may change each time the architecture is 
changed due to technoloci advances or other rea- 


sons. Since the generic processes can readily be 
identified, they can be re-used each time a new, 
advanced version of a product is to be developed 
thereby reducing the overall effort. If the naviga- 
tion receiver were made part of a larger system 
where the access of tuning frequencies and the re- 
cording of measurement data were automatic the 
added processes of Figure 9 would differ. Other 
processes that might get added are processes for 
redundancy management, maintenance, built in 
test etc. 

Figure 10 graphically represents the systematic ap- 
proach to system design. It also hints of the struc- 
ture of a project data base. Set A, in Figure 10, 
represents the documentation of a task analysis 
and is the requirements statement for that task. 
Each "level” symbolizes the definition of one or 
several processes in terms of constituent compo- 
nents as was illustrated in Figures 2 and 4. The 
solid lines between process shapes indicates that a 
lower level process is a component of a higher 
level process. Although not shown flows and 
stores also constitute components. 

Based on the requirements statement a system ar- 
chitecture is defined in terms of its major compo- 
nents, i e architecture entities, as represented by 
Set B. In this example there are three architecture 
entities in Set B. Each of these has assigned proc- 
esses as indicated by the dashed lines. These sets 
of assigned processes form the staring points for 
requirements statements for each of the architec- 
ture entities. The requirements statement for ar- 
chitecture entity A is illustrated by Set C. In order 
to maintain traceability once architecture entity 
requirements statements have been formed, provi- 
sions must be made to trace each architecture en- 
tity, process, flow, and store as it gets partitioned 
off as an independent entity. This is illustrated by 
the dotted lines. Periodic checks are made to as- 
sure that each occurrence of an architecture en- 
tity, a process, a flow, or a store in the project 
data base have identical definitions. 

Once separate requirements statements are de- 
fined for each architecture entity processes can be 
added as represented by the encircled process 
symbol. The concept of how the need for addi- 
tional processes can be dictated by an architecture 
design was discussed in conjunction with Figure 9. 
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Figure 10 Summary of Systematic Approach to System Design 


A series of process analyses may be performed to 
further detail the top level requirements statement 
for architecture entity A, i.e. the assigned and 
added processes are analyzed and defined in 
terms of their components. 

The requirements statement for architecture entity 
A is used as an input to a design process to define 
the components of architecture entity A. Concep- 
tually this is illustrated by Set D where the compo- 
nents of architecture entity A are shown. Set E 
illustrates the result of a second cycle of process 
assignment. When a projects engineering design 
data base is organized as outlined above it is possi- 
ble to systematically trace a high level system re- 
quirement all the way down to the lowest level de- 
sign requirement for an architecture entity. 

The systematic partitioning and the establishment 
of traceability will simplify management of the 
multi-organizational support of large system devel- 
opment projects. Frequently sub-systems are con- 
tracted out to participating organizations. Subse- 
quent work by these organizations can routinely 


be integrated, system wide, for analysis to uncover 
traceability and interface problems. 

To this point the notion has been that architecture 
entities represent physical entities. There is no 
reason to impose such restrictions on the concept 
of an architecture entity. It can very well repre- 
sent a software entity, e.g. a Package, Sub-Pro- 
gram, or Task. Figure 1 1 illustrates the expanded 
concept of the architecture entity. The architec- 
ture entity labeled A1 is the same as the architec- 
ture entity A1 appearing in Figure 10. Its require- 
ments statement is represented by the processes 
included in Set A. Assuming that a digital imple- 
mentation is selected a top level software architec- 
ture can evolve based on this requirements state- 
ment. This is illustrated by the two Packages in 
Set B. The processes of the requirements state- 
ment represented by Set A are assigned to Pack- 
ages and #2. Each of these Packages can then 
be treated as an independent entity with its own 
requirements statement, based on the assigned 
processes as illustrated by Set C. Additional proc- 
esses can be added as represented by the encir- 
cled process symbol. This cycle of formulating a 
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Figure 11 Illustration of "Leveled" Approach to Software Design 


trequiremenis statement, basing an architecture 
on the requirements, assigning processes, and for- 
mulating component requirements statements can 
be repeated. This is illustrated by the definition of 
Package #1 in terms of component Sub-Programs 
a*. shown in Figure 11. 

The important conclusion to draw is that the same 
basic approach that is used for a hardware system 
architecture design can be used for a software ar- 
chitecture design. In so doing the design is arrived 
at systematically and traceability is established A 
large number of design errors may be eliminated 
before detailed design of hardware or software 
coding takes place. 

Standardization Efforts 

Efforts are under way to develop a notation and 
set of rules that are suitable for systems engineer- 
ing. A number of notations and sets of rules have 
been developed and are documented in CASE lit- 
erature [2], [3], and [4], To date they have ad- 
dressed software engineering problems, not neces- 
sarily systems engineering problems To remedy 
this an ad hoc team was formed, by representa- 


tives from aerospace companies, to derive a nota- 
tion and rules set from previous work in this disci- 
pline that had the additional features required to 
support svstems engineering. This undertaking has 
become know-n as the ESML initiative. The acro- 
nym ESML stands for Extended Systems Model- 
ing Language. One paper that proposes a notation 
and set of rules to be used in the formulation of 
requirements for system processes and process 
control has been released at a conference. A pa- 
per defining a notation and set of rules for docu- 
menting an architecture design is planned for this 
year. 

The team that is pursuing this task has not been 
chartered by any organization to develop an in- 
dustry standard. The extent to which this work 
will tend to standardize notations and rules will 
depend on the following that it receives. If it gains 
support in the industry it can become a candidate 
for a standard at some future date. 

The Role of Systems Engineering Tools 

Data contained in diagrams like those in Figures 
2. 4, and 6 can be converted to tabular form. In 
tabular form the data can be analyzed using se, 
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operations, e.g. sorts, selects, unions, and inter- 
section. The analyses can be tailored to detect 
lack of rigor, e.g. flows without a defined source, 
requirements statement s for architecture entities 
that cannot be traced to higher level require- 
ments. Analyses can be tailored to detect incon- 
sistencies, e.g. an interfacing flow is defined dif- 
ferently at the source and destinations. The pro- 
gress in developing a system design definition can 
be measured by periodically taking inventory of 
the project data base. If the requirement for rigor 
and traceability is enforced throughout the design 
process a lot more data will have to be generated 
in the requirements and architecture design 
phases of the life cycle than is the case today. The 
proposed approach will probably be unmanage- 
able if applied to a large project without the assis- 
tance of automation, i e. software tools hosted on 
computers that are appropriately networked. 
Computer graphics tools can be used to draw the 
diagrams that this approach is based on. The com- 
puter can be used to convert the graphical data 
into tabular form and load it in a data base. Once 
the engineering design data is in the data base, the 
computer can be used to perform the set opera- 
tions needed to analyze the data base. 

Once a computer-based project data base exists, 
automation can be extended to support documen- 
tation. Engineering documents contain engineer- 
ing data selected for a specific purpose. In a large 
project the same document format is often used, 
repeatedly, but the specific data will vary. Docu- 
ment templates can be used to define the docu- 
ment format and contain boilerplate text. These 
can be copied to become the starting point for 
each occurrence of the document. References to 
data in the project data base are used to finalize 
the template. At publishing time the document 
template will be used to automatically produce the 
document by accessing up-to-date engineering 
data in the project data base and including it with 
the boilerplate text. Automation of the documen- 
tation process has the potential for considerable 
cost savings. 

Software tools that have the capability to support 
the systematic system engineering approach are 
available on the CASE too! market. They are 
hosted on a variety of PCs. engineering worksta- 


tions, and mainframe computers. Most tools sup- 
port the drawing of diagrams and entering of data 
contained on the diagrams into a data base. To 
varying degrees they support rules enforcement, 
analysis of the data base, and documentation. 
Most still lack the capability to be tailored to the 
needs of a particular project. 

The Cost of Introduction 

The issue of recovering the cost of introducing this 
approach and its supporting automation appears 
to be an impediment to a full commitment. The 
cost of introduction is driven by the need for 
training and re-documentation of existing engi- 
neering design data or reverse engineering. The 
need for training is reduced by notation and rules 
set commonality and simplicity. It is also reduced 
by tool designs that are user friendly and adapt- 
able to the needs of a project. Some degree of 
reverse engineering is inevitable to any organiza- 
tion with a well established product line that opts 
to introduce a systematic approach to systems en- 
gineering. Waiting for a brand new project to be 
launched where the whole development process 
will start from "square one" may be putting off the 
commitment indefinitely. In many cases compa- 
nies with established product lines may benefit 
from a reverse engineering process to get the de- 
sign requirements for current products consoli- 
dated in support of derivative and new product 
commonality. 

The cost of automation can be minimized if a 
common notation and set of rules can be agreed 
upon. That will require fewer varieties of systems 
engineering tools, each lining up behind a favored 
notation, and give tool suppliers a broad customer 
base. It will also facilitate the transfer of engineer- 
ing data between participating organizations with a 
minimum of data conversion tools. 

The cost recovery will have to come from the shift 
of design error detection and correction from the 
system integration and product introduction 
phases to the requirements and architecture de- 
sign phases as is indicated in Figure 1. The cost of 
late design error detection and correction is high. 
Expensive integration test facilities and teM vehi- 
cles must be operated for long periods of time to 
support detection of design errors and to re-test 
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the revised system. Each design error correction 
involves a lengthy process of problem reporting, 
re-design, document revision, and testing. The 
correction of design errors after service introduc- 
tion carries the added cost of fleet revision. An 
analysis of cost per late design error correction 
may show that the cost savings of even a modest 
reduction in the design error count may pay for 
the introduction and automation costs. 

Conclusion 

The combination of a systematic approach, a 
graphic notation, an associated set of rules, and 
computer bases tools for systems engineering pro- 
vide the potential for reducing the development 
cost of complex systems. This is done by elimina- 
tion or early detection of design errors thereby re- 
ducing the high cost of detecting and removing 
these errors during integration testing and service 


introduction. Developments in the areas of nota- 
tion and rules standardization and computerized 
engineering tools provided the key ingredients 
needed to pursue a systematic approach to system 
design. These developments should be exploited. 
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ESML: An Extended Systems Modeling Language 
Based on the Data Flow Diagram 

C. Ingvar Svensson 

Principal Engineer, Avionic/Flight Systems Engineering 
Boeing Commercial Airplanes 
Seattle, Washington 

Abstract: ESML (Extended Systems Modeling Language) is a new system modeling 
language based on the Ward-Mellor and Boeing structured methods techniques, both of 
which have proposed certain extensions of the DeMarco data flow diagram notation to 
capture control and timing information. The combined notation has a broad range of 
mechanisms for describing both combinatorial and sequential control logic. 

1. Introduction. A modification of the data flow diagram notation to capture control and 
timing information was proposed by Ward and Mellor [1] and later extended by Ward [2]. 
The modification encompasses extended graphic notation, specification rules, and 
balancing rules. The notation and formation rules for this method have been incorporated 
into several commercially available CASE tools, and prototypes of the executable model 
have been demonstrated on a TI Explorer in Flavors [3], in the Vax environment on the 
ADAS CASE tool [4], and in OPS5 [5]. 

Within the same time period, another modification of the data flow diagram to capture 
control and timing information was proposed by Hatley (6]. The Boeing structured 
methods technique is based on the notation described in reference [6]. The notation and 
formation rules for this modification have also been incorporated into commercial CASE 
tools. 

A substantial body of experience now exists on the use of these tw r o notations. 
Furthermore, a number of developers, including developers in two of the authors’ 
organizations (Honeywell Inc. and Hughes Aircraft Company), have succeeded with the 
use of combinations of elements from the two notations. The basis for this combination 
has been discussed by Ward and Keskar [7], The present paper is a detailed proposal for 
a notation extending features of the two original ones. The extended notation has a more 
comprehensive and flexible set of constructs for representing control logic than either of 
the original notations. We propose that the new notation together with its formation and 
execution rules be called the Extended Systems Modeling Language (ESML). 

2. Transform Schema Objects. The flow diagram extension used in ESML is called the 
transform schema as in [1]. Figure 1 shows the objects that can appear in a transform 
schema. 

Transforms represent units of work or control within the system. Each transform carries a 
label describing the unit of work or control performed. The same transform can appear in 
more than one transform schema. A flow transform represents a unit of work performed 
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Figure 1 ESML Transform Schema 


to produce a set of output flows from a set of input flows, e.g. accepting, manipulating, 
producing, storing, transporting, and retrieving flows. A control transform represents a 
unit of control logic that determines when, and for how long, other transforms are active. 

Terminators represent a physical entity or system that provides flows (information, 
material, energy) to, or receives flows from, the schema and should be thought of as a 
transform or group of transforms whose details are of no interest within the schema. Each 
terminator carries a label describing the real-world entity or system it represents. The same 
terminator can appear on more than one transform schema. 

Flows represent the ’’things” on which transforms operate. Value bearing flows represent 
variable-content information, material, or energy, that flows within the system or between 
the system and interfacing physical entities or systems. Each value bearing flow carries a 
label describing what it is. The same value bearing flow can appear on more than one 
transform schema. A continuously available flow represents information, or material, or 
energy, or any other item that moves within a system, or between a system and 
terminators, which is available at every point in time. An intermittently available flow 
represents information, material, energy, or any other item that moves within a system, or 
between a system and terminators, but is not available at every point in time. 
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Non-value bearing flows, also called signals, represent the recognition of the occurrence 
of events. Each signal carries a label describing the event it represents. The same non-value 
bearing flow can appear on more than one transform schema. 

Prompts represent control imposed by one control transform on another transform. There 
are five distinct prompts, distinguished by a letter placed in the small circle at the end o 
the line segment. A trigger activates a transform to perform a time-discrete action 
triggered transform terminates under its own control. The enable prompt * mtiates 1 e 
activity of a transform. The disable prompt terminates the activity of a transform. When 
the activitv of a transform is terminated, it ’’forgets” any intermediate results and starts 
anew when enabled or triggered. The activate prompt is a combination of the enable and 
disable prompts. The suspend and resume prompts are similar to the enable an isa e 
prompts, except that a suspended transform remembers its intermediate results an t e 
system context. The resumed transform continues where it left off when suspended. T e 
pause prompt is a combination of the suspend and resume prompts. 

Stores represent value bearing flows within the system that are held for future access. A 
transform that uses a stored flow controls its accesses to the flow. Each store, like each 
flow, carries a label describing what it is. The same store can appear on more than one 

transform schema. 

A non-depletable store represents information flow, held for future use, that is not 
"consumed” when accessed. 

A depletable store represents flow, held for future use, that is consumed when 
accessed. 

3. Transform Schema Connections. The connection rules for the objects defined above 
are stated in the following figures. The ”X” in those figures indicates legal connections. In 
summary, transforms, terminators, and stores are connected by flows. 

At least one end of each flow in a transform schema must be connected to a transform. 
Connections are not allowed between terminators, between stores, or between terminators 

and stores. 

Flows from multiple sources and to multiple destinations may be represented by a 
split/merge notation as described in reference [1]. 

A flow transform must have at least one output flow. A flow transform normally has at 
least one input flow or a prompt. 

A control transform must have at least one input flow and one output prompt, or output 
signal. 

A terminator must have at least one input or one output flow. 
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A store must have at least one input or one output flow. The input flow can represent all 
elements of the store, or a sub-set of them. In the first case the input flow label will be the 
same as the store label or it may be omitted. In the second case the input flow label will 
differ from the store label. The output flow can also represent all elements of the store, or 
a sub-set of them. In the first case the output flow label will be the same as the store label 
or it may be omitted. In the second case the output flow label will differ from the store 
label. 

Continuously available flows connect transforms, terminators, and stores as shown in 
Figure 2. A continuously available flow can originate from a control transform only if 
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Figure 2 Connection Rules for Continuously Available Flows 


that control transform represents a combinatorial controller. The controller types will be 
addressed later. 

Intermittently available flows connect transforms, terminators and stores as shown in 
Figure 3. 
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Figure 3 Connection Rules for Intermittently Available Flows 
Signals connect transforms and terminators as shown in Figure 4. There is one special 
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Figure 4 Connection Rules for Signals 


case identified. A signal can only be destined for a flow transform or a control transform 
that represents a sequential controller. 


Prompts connect control transforms to flow and control transforms as shown in Figure 5 
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Figure 5 Connection Rules for Prompts 

Control transforms may not exchange prompts. Transforms activated by a prompted 
control transform are deactivated when the prompted control transform is deactivated 
When a transform is de-activated, each element in a continuously available output flow 
will have a defined default value. The default value can be the last value, a constant, an 
initial value, an expression, or a null value. 

4 Object Specification. An object must be specified either in terms of sets of objects or in 
terms of an object specification. The rules for specifying an object in terms of sets of 
objects will be discussed in the following paragraphs. Formats for individual object 
specifications will be presented. 

Each flow transform must be specified either by a transform schema, i.e. a set of raatcu 
transforms , flows and stores, or a transform specification. A flow transform specification 
describes in detail the transformation of input flows to the corresponding output flows. A flow 
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transform specification may be procedural, non-procedural, graphical, textual, PDL, 
psuedocode, or tabular. 

Each control transform must be specified by a control specification. A control 
specification describes in detail the control logic that the control transform represents. If the 
control transform logic is at least partly sequential (i.e. it depends on a time sequence of 
discrete occurrences as well as knowledge of its current state) a state transition diagram 
or a state transition matrix format is used to specify control. Examples of each are 
shown in Figure 6. 



I: SIGNAL 4 (VARIABLE 3 > VALUE 3) 

o: variable 2:=value2 


STATt s \^ 

E 

SIGNAL 1 

SIGNAL 2 

(variables 

VALUE 1) 

SIGNAL 4 

[VARIABLE 3> 
VALUE 3) 

STATE 1 


<E> trans- 
form A 




STATE 2 

STATE 2 

STATE 1 


<D> TRANSFORM A 
<T> TRANSFORM B 
SJGNM 3 



__ STATE 3 

STATE 3 

STATE 1 

! 


VARIABLE 2 = 
VALUE 2 


STATE 1 

STATE 1 


Figure 6 Examples of State Transition Diagram 
and State Transition Matrix 

The transition inputs on the diagram can be shown above a horizontal line, to the left of a 
slash (/), or prefixed by an I:, and be located next to the transition vectors. A transition 
input can be a signal, one or more logical expressions, or both. A prompt may serve as a 
transition input for the entry transition. Permissible logical expressions consist of two 
continuously available flows, separated by a relational operator or a continuously 
available flow and a constant separated by a relational operator. 
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When a transition can occur due to one or more transition inputs, each input is entered as a 

separate expression starting with an I:, e.g. I: ( X>=critical ) 

I: Stop(Y=20) 


Alternately the expressions are entered on one line and separated by a vertical bar, e.g^ 
(X>=critical)|Stop(Y=20). A third alternative is to use multiple transition vectors, eac 
with a unique input condition and all having the same output action. 


The transition outputs on the diagram are shown below a horizontal line, or to the right of 
a slash (/), or prefixed by an O:, and located next to the associated transition vectors. 
During a transition zero or more actions may be taken. These may be to issue promp s 
signals or assign values to an intermittently available flows. Prompts are indicated I by _a 
prompt label enclosed in ”< >", followed by the label of the transform affected b> 
prompt. Signaling an event is indicated by a signal label. Assigning a va ue to an 
intermittently available flow is indicated by the flow label followed by a colon, an equa 
sign, and the assigned value. Examples of each are shown in Figure 6. 


If the logic of a control transform is purely combinatorial — the control exerted during a 
time period depends only on a combination of values of continuously available flows that 
hold during the period an activation table format is used to specify control. An example 
is shown in Figure 7. The left columns represent the possible sets of input flow 
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1 

E 

? 

Y 

20 
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2 

E 

? 

N 

25 

OFF 

3 

E 

? 

N 

1000 


Figure 7 Activation Table 


conditions, the center columns represents the control action imposed on other transforms 
as a function of combinations of input flow conditions, and the right columns represent 
outputs that are set as a result. The activation table must account for all possible input 
flow combinations 

Each input column is headed by the label of a continuously available flow. The row 
entries represent mutually exclusive sets of flow conditions. The range of conditions for 
each flow must fall within its domain as specified in the flow specification. Each 
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transform column is headed by the label of a controlled transform. The row entries 
specify the control action performed at the time of the transition. As with a sequential 
control specification, if there is no change in the control state for a transform, no control 
action is specified. Each output column is headed by the label of a signal or a 
continuously available flow. The row entries for a signal will specify whether or not that 
signal is broadcast. The row entry for a continuously available flow represents the value 
assigned to that flow- during the time period of a control state. 

Prompt sequencing rules are defined in Figure 8. Note that two of the prompt sequences 


• CURRENT PROMPT 

PREVIOUS PROMPT ~~ 

TRIGGER 

ENABLE 

DISABLE 

SUSPEND 

RESUME 

TRIGGER 

TRIGGER 

o 

NOT 

LEGAL 

DISABLE 

SUSPEND 

NO ACTION 

ENABLE 

NOT 

LEGAL 

NO ACTON 

DISABLE 

SUSPEND 

NO ACTION 

DISABLE ; 

TRIGGER 

ENABLE 

NO ACTION 

NO ACTION 

NO ACTION 

SUSPEND 

NO ACTION 


DISABLE 

NO ACTION 

RESUME 

RESUME 

TRIGGER 

D> 

NO ACTION 

DISABLE 

SUSPEND 

; NO ACTION 


Only if transform is completed after previous trigger 


Figure 8 Prompt Sequencing 


are illegal. 

Each value-bearing flow must be specified either by its composition, i.e. a set of 
component flows or by a flow specification. A flow' specification defines in detail what a 
flow is. A flow specification may be textual, graphical, or tabular. There can be several 
classes of flows in a transform schema, e.g. information, material, or energy. The format 
for a flow specification must be tailored to the class with which it is used. 

An abstract continuously available flow, can consist of a set of continuously available 
flows, intermittently available flows, and signals. An abstract, intermittently available 
flow, can only be specified as a set of intermittently available flows. The notation of 
DeMarco [8] for the composition of abstract flows is recommended. 

Esizh signal mini hsm. in mssuunz sgsnSkzL 

Each store must be specified either by its composition, i.e. a set of component stores or 
by a stored flow- specification. A store specification defines in detail what a stored flow 
is. A stored flow specification may be textual, graphical, or tabular. There can be several 
classes of stored flows in a transform schema, e.g. stored information, material, or 
energy. The format for a stored flow specification must be tailored to the class with which 
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it is used. An abstract non-depletable store consists of a set of non-depletable stores and 
depletable stores. An abstract depletable store consists of a set of depletable stores. 

5. Balancing. Balancing is an analysis process used to assure consistency and rigor within 
a project. 

Level balancing assures that the input and output flows of a transform are completely 
accounted for in its transform schema or transform specification. This means that the union of 
all input flow decompositions of the parent transform shall map onto the union of all input flow 
decompositions on the child transform schema, i.e. the two sets shall be identical. Likewise, the 
union of all output flow decompositions of the parent transform shall map onto the union of all 
output flow decompositions on the transform schema or transform specification, i.e. the two sets 
shall be identical. Level balancing also applies to control specifications. IfJte omgQMMl QfJ L 
ffnw sk£mmiim ore, optional then the inpm oM oumi fa dminwMmi on ite umifon n. 
xtejM musL am into the inm an d omm fl<> w dscmmiimi ql tte m&u tnmfnnrL if the. 
tornEonem of a flow dfmnmii Mi qls. muimllx adusm. then ths. input and omm fe 
dezompoMMi on the tr&nifonn xhzmo. u mi jmq. ioifl ons. of lhs. muimlly. hum. qM - 

QUtpMl fhm d££mj2Q2iMni QL the mu m transform. Figure 9 illustrates the concept of a flow 

The filled nodes 
represent 
the de-composi- 
tion of a flow 


Figure 9 The Concept of Flow 
Composition 



decomposition. 

Flow merge/branch balancing assures that the union of all flow decompositions entering a 
merge, maps onto the flow decomposition leaving a merge. Likewise, the flow decomposition 
entering a branch, must map onto the union of the flow decompositions leaving a branch. 

Store balancing is performed to assure that the union of all flow decompositions for flows 
listed as outputs from a store must map onto the flow decomposition for the flow that the 
store represents, i.e. the two sets must be identical. The union of all flow decompositions 
for flows listed as inputs to a store must map into the flow decomposition for the flow 
that the store represents, i.e. the input set must be a sub-set of the store set. 

6. Example. Consider a very simple automotive cruise control system, whose driver 
interface is shown in Figure 10. The functions to be performed b\ this system are limited 
to capturing and storing the actual speed for use as the desired speed; maintaining the 
desired speed by comparing the desired and actual speeds and adjusting the throttle 
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setting to minimize the deviation; and increasing the speed at a constant rate by gradually 
increasing the throttle setting. 
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CRUISE CONTROL 


RESUME 
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□ □ □ 

MAINTAIN INCREASE 
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ON 

OFF 

ON 

OFF 


ON 

OFF 


Figure 10 Driver Interface 

Figure 11 is a transform schema that models the operation of this cruise control system. 
There are two levels of control. The upper level, performed by the ’’Monitor CC Status’’ 
transform, enables the lower level of control while the engine is running and disables 
them otherwise. 
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Figure 11 Transform Schema for Cruise Control Example 
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Monitor CC Status 


ENGINE 

STATUS 

CRUISE 

CONTROL 

STATUS 

CONTROL 

SPEED 

STATUS 

ON 

ON 

ENABLE 

ON 

OFF 

DISABLE 

OFF 

ON 

* 

OFF 

OFF 

DISABLE 


Figure 12 Sample Activation table 

The control specification for the transform "Monitor CC Status" is an activation table and 
is shown in Figure 12. This transform enables the lower level of control, Control Speed 
when the engine is running and the cruise control on/off switch is in the on state. It is 
specified by the state transition diagram of Figure 13. The control transform Monitor 
Status” assures that after the engine is turned off and then back on, the cruise contro 
on/off switch has to be returned to off before and then back on to re-activate the cruise 

control system. 
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Figure 13 Sample State Diagram 
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The lowest level of control on Figure 11, when enabled, carries out driver commands 
subject to conditions on the speed and the brake status. It is specified by the state 
transition diagram of Figure 14. An equivalent state transition matrix is shown in Figure 
15. Notice that a driver request to maintain the current speed is obeyed only if the speed 
is over 30 mph and if the brake pedal is not currently depressed. 

Since Figure 11 contains flow transforms and also represents control of those transforms, 
it is fairly ”busy”. To allow the creation of simplified views of such schemas different 
”views” may be used. For example, one subset could show only flow transforms with 
their inputs and outputs (Figure 15) and another subset could show control transforms 
with their inputs and outputs, along with the flow transforms connected to the control 
transforms but minus any inputs and outputs other than control transform connections 
(Figure 16). 


Current Speed 


Capture 
Current 
Speed J 


Current Speed 


Desired Speed (DS) 




Maintain 
Desired 
^ Speed J 

r a 


Increase 

Speed 



Throttle Position 


Current Speed 


J 


Figure 15 Transform Schema - Flow Transform View 

8. Execution of the Model. A model built with the notation described here is executable 
in essentially the same sense as a model built with the notation described in [2], However, 
the use of continuous flow's and of stores as inputs to and outputs from control transforms 
requires that the tokens associated with these flows be assigned values so that transition 
inputs can be evaluated. Also, the use of composite enable/disable and suspend/resume 
flows requires that tokens placed on these flows be given values to distinguish which 
prompt is being sent. 
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Engine CC Status 
Status 



Figure 16 Transform Schema - Control Transform View 
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System Architecture Model 

C. Ingvar Svensson 

Principal Engineer, Avionic/Flight Systems Engineering 
Boeing Commercial Airplanes 
Seattle, Washington 

1. Introduction. A transform schema defines the transforms, stores, and flows 
needed to perform a task. It also defines in what way the task must adjust to 
external and internal events and condition. A transform schema is created 
during a structured analysis of a task for which a mechanization or 
organization is to be developed. 

An architecture is the physical arrangement of a mechanization or organization 
in terms of its components. An architecture is defined in terms of entities that 
’’host” transforms and stores or convey value-bearing flows between host 
entities. An architecture definition should include the user(s) as entities, i.e. 
those entities that will directly interface with the mechanization or organization 
being considered. The architecture concept may also be used to group 
transforms and stores into abstract entities in order to gain different views of 
the design. A software architecture is an example of an architecture of abstract 

entities. 

An architecture definition is captured in an architecture diagram. The 
architecture diagram is composed of objects representing entities and 
value-bearing flows. An architecture diagram is created during a design study 
and must be fully traceable to a transform schema. 

2 . Architecture Diagram Objects. Three object can appear on an architecture 
diaeram. These are architecture entity, terminator, and value-bearing flous as 
shown in Figure 1. 

ARCHITECTURE VALUE BEARING 
ENTITY FLOWS 

( 'l CONTINUOUSLY AVAILABLE 


TERMINATOR 'nter m.ttentlv ava ilable 


Fieure 1 Architecture Diagram Objects 

Terminators represent architecture entities that provide flows (information, 
material, energy) to. or receives flows from, the system under study but where 
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the behavior and processing characteristics are unknown. A terminator carries 
a label describing the system that it represents. The same terminator can 
appear on more than one architecture diagram. 

Architecture entities represent the embodiment of transforms and stores. Each 
architecture entity carries a label describing its purpose. The same architecture 
entity can appear in more than one architecture diagram. An architecture 
entity can be physical or abstract. It can represent a computer, a software 
module, or an organization. Each architecture entity carries a descriptive label. 
The symbol for an architecture entity may be tailored to more closely illustrate 
what it represent. For example symbols resembling a processor, a key-board, 
or a software entity may be used in lieu of the generic symbol of Figure 1. 

Value bearing flows represent variable-content information, material, or 
energy, that flows within the system or between the system and interfacing 
physical entities or systems. Each value bearing flow carries a label describing 
what it is. The same value bearing flow can appear on more than one 
transform schema. A continuously available flow represents information, or 
material, or energy, or any other item that moves within a system, or between 
a system and terminators, which is available at every point in time. An 
intermittently available flow represents information, material, energy, or an\ 
other item that moves within a system, or between a system and terminators, 
but is not available at every point in time. 

3. Architecture Diagram Connections. The connection rules are shown in 
Figure 2. The "X” indicates legal connections. In summary, sets of 
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X 

X 
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Figure 2 Architecture Entity Connection Rules 

architecture entities can be connected by value-bearing flows. An architecture 
entity can be connected to a terminator. However, terminators cannot be 
connected together. 
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4 . Object Specification. The rules for object specification are discussed in the 
following paragraphs. 

Each architecture entity must be specified by an architecture diagram i.e. a 
set of related architecture entities and flows or a detailed des.gn definition. 
Each architecture entity must have its functionality specified by a transform 
schema. Hardware drawings or source code are examples of detailed desig 
definitions. Each architecture entity that is specified by an archl ‘" c, " e 
diagram may have an overview drawing that shows the assembly of 
components on the architecture diagram, i.e the architecture d.agrams may be 
used as an index to the system drawings. 

In those cases when an architecture entity represents a simple conduit that has 
no active components, it need not be functionally specified by a transform 

schema. 

Each value-bearing flow must be specified either by its composition i.e. a set 
of component flows or by a flow specification A flow specification defines in 
detail what a flow is. A flow specification may be textual, graphical, or 
tabular There can be several classes of flows in a transform schema, e g. 
information, material, or energy. The format for a flow specification must be 
tailored to the class with which it is used. 

An abstract continuously available flow, can consist of a set of continuously 
available flows and intermittently available flows. An abstract, mterm.ttently 
available flow, can only be specified as a set of intermittently available flows. 


Level balancing assures that the input and output flows of an architecture 
entitv are completely accounted for in its architecture diagram. Level 
balancing also assures that the input and output flow-s of an architecture entity 
are completely accounted for in its related transform schema. 

Level balancing architecture entity to architecture diagram means that the 
union of all input flow decompositions of the parent architecture entity sha 
map onto the union of all input flow decompositions on the child architecture 
diagram, i.e. the two sets shall be identical. Likewise, the union of all output 
flow- decompositions of the parent architecture entity shall map onto the union 
of all output flow decompositions on the architecture diagram, i.e. the two 
sets shall be identical. Figure 3 illustrates the concept of a flow decomposition. 

Level balancing architecture entity to transform schema means that the union 
of all input flow decompositions of the architecture entity shall map onto the 
union of all input flow decompositions on the related transform schema, i.e. 
the two sets shall be identical. Likewise, the union of all output flow 
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The filled nodes represent 
the de-composition of a 
flow 


Figure 3 The Concept of Flow De-composition 

decompositions of the architecture entity shall map onto the union of all output 
flow decompositions on the related transform schema, i.e. the two sets shall be 
identical. 

6. Assignment. Each transform and store in a transform schema must be 
assiened to an architecture entity. If a transform must be split between two or 
more architecture entities, it must first be specified by a transform schema. 
The transforms on that transform schema may then be assigned to two or 
more architecture entities. If a store must be split between two or more 
architecture entities, it must first be specified by its composition. The store 
components may then be assigned to two or more architecture entities. Figure 
4 illustrates the concept of transform and store assignment. Set A represents a 



Figure 4 Illustration of Assignment and Traceability 

hierarchy of transforms and stores, constituting the functional requirements 
for a system. The components of the system are defined as architecture 
entities A.B. and C. These are shown as Set B. The transforms and stores of 
the functional requirements are assigned to the ’’host” architecture entities. As 
a result each architecture entity will have a set of processes assigned to it. If 
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applicable it will have stores assigned to it. Each set must be entered in a 
transform schema that constitutes the functional requirements for the related 
architecture entity. Transforms and stores can be added to the transform 
schema as dictated by the chosen architecture. This is illustrated in Set C. 
These additions may establish requirements for I/O processing, redundancy 
management etc. 

7. Traceability. Each transform or store that has been assigned has in reality 
been copied into the transform schema for the ’’host” architecture entity. 
Throughout the project, traceability must be maintained. This means that the 
flow interfaces to an assigned transform or store must be identical in each 
transform schema where the transform or store appears, i.e. one definition 
must map onto the other. Likewise, the specification of a transform or store 
must be identical wherever the transform or store appears, i.e. one 
specification must map onto the other. 

8. Example. The functional interface requirement between two architecture 
entities is specified by the flows that connect the sets of transforms and stores 
assigned to each architecture entity. This is illustrated in Figure 5a. In many 
designs the functional interface flows are ’’packaged” by some process into 
composite flows and later ’’unpacked". This is illustrated in Figure ob. If 
interface flows are routed from one processing entity to another via some 
conduit entity this is indicated as shown in Figure 5c. 
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